Bitlocker Fails to Turn on or Prompts for the Recovery Key Rebooting With Windows 10, UEFI, and the TPM 1.2 Firmware

On Dell systems with Windows 10 installed and configured for UEFI BIOS mode, BitLocker may experience issues with failing to turn on or prompting for the recovery key when the system is rebooted. This can occur when the system is also unable to support the TPM firmware flash from version 1.2 to version 2.0. The resolution covered in this article can be used to configure BitLocker to work with the TPM 1.2 firmware on Dell systems that support Windows 10/UEFI and that do not support the firmware upgrade to TPM 2.0.

BitLocker Fails to turn on or prompts for the Recovery Key after every reboot with Windows 10, UEFI, and the TPM 1.2 Firmware

The Latitude 12 Rugged (7202) is an example of a tablet that ships with Windows 10/UEFI and the TPM 1.2 firmware. By default, BitLocker does not work in this configuration and this platform does not support TPM 1.2<->2.0 mode changes. The resolution below has been tested for the 7202 and allows the use of BitLocker with TPM 1.2 in UEFI mode by modifying which PCR indexes are in the BitLocker profile to the default UEFI selections.

Some other system models ship with a Windows 7 downgrade and the TPM 1.2 firmware and fully support the upgrade to Windows 10, yet do not allow TPM 1.2<->2.0 mode changes.

Not Applicable

Steps to resolve the issue

1. Disable BitLocker from the Manage BitLocker pane if enabled and wait for decryption to complete:
   • Click Start and type manage BitLocker and select the top search result (Figure 1):

     
     Figure 1: Manage BitLocker search results

   • From the BitLocker Drive Encryption Control Panel pane, select Turn-off BitLocker (Figure 2):

     
     Figure 2: BitLocker Drive Encryption Control Panel

   • Click Turn off BitLocker to confirm (Figure 3):

     
     Figure 3: Turn off BitLocker confirmation

2. Go to Start and search for gpedit.msc and click the top search result to open the Local Group Policy Editor in a new window.
3. In the left column browse to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives (Figure 4):

   
   Figure 4: Operating System Drives folder

4. Then on the right side, double-click Configure TPM platform validation profile to open up the configuration (Figure 5):

   
   Figure 5: Configure TPM platform validation profile setting

5. Select the radio button that says Enabled.
6. Clear all PCRs except 0, 2, 4, and 11 (Figure 6):

   
   Figure 6: Enabled PCR settings

   NOTE: BitLocker must be disabled before changing the PCR values. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console.
7. Select Apply and OK to close out gpedit.
8. Turn on BitLocker and reboot after encryption finishes.

Recommended Articles

Here are some recommended articles related to this topic that might be of interest to you.

• BitLocker Asks for a Recovery Key Every Boot on USB-C or Thunderbolt Computers When Docked or Undocked
• Automatic Windows Device Encryption or BitLocker on Dell Computers
• BitLocker is Prompting for a Recovery Key, and You Cannot Locate the Key
• TPM PCR Validation Error causing BitLocker Recovery at Boot
• Resolving a TPM Error Seen During BitLocker Encryption on a Dell PC