Bitlocker requests recovery key every boot windows 7

A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed.

For more information, see BitLocker Group Policy settings. What causes BitLocker recovery? The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use BitLocker Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. Failing to boot from a network drive before booting from the hard drive.

Turning off, disabling, deactivating, or clearing the TPM. Updating option ROM firmware. Upgrading TPM firmware. Changes to the master boot record on the disk. Changes to the boot manager on the disk. Moving the BitLocker-protected drive into a new computer. Upgrading the motherboard to a new one with a new TPM.

Failing the TPM self-test. Changing the usage authorization for the storage root key of the TPM to a non-zero value. Disabling the code integrity check or enabling test signing on Windows Boot Manager Bootmgr. Pressing the F8 or F10 key during the boot process. Testing recovery Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users people who call your helpdesk for the recovery password and administrators people who help the end user get the recovery password.

To force a recovery for the local computer Click the Start button, type cmd in the Start Search box, right-click cmd. Planning your recovery process When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. When you determine your recovery process, you should: Become familiar with how you can retrieve the recovery password.

See: Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: Self-recovery In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. Recovery password retrieval If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source.

Select the Do not enable BitLocker until recovery information is stored in ADDS check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. Record the name of the user's computer You can use the name of the user's computer to locate the recovery password in AD DS.

Verify the user's identity You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. Multiple recovery passwords Key Generator For Games If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.

Gather information to determine why recovery occurred Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis.

Give the user the recovery password Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. Post-recovery analysis When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. See: Determine the root cause of the recovery If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible.

Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? If TPM mode was in effect, was recovery caused by a boot file change?

If recovery was caused by a boot file change, is this due to an intended user action for example, BIOS upgrade , or to malicious software? When was the user last able to start the computer successfully, and what might have happened to the computer since then? Might the user have encountered malicious software or left the computer unattended since the last successful startup? Resolve the root cause After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.

To prevent continued recovery due to an unknown PIN Unlock the computer using the recovery password. If you are not logged in with an administrator account you must provide administrative credentials at this time.

You will use the new PIN the next time you unlock the drive. Lost startup key If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key.

To prevent continued recovery due to a lost startup key Log on as an administrator to the computer that has the lost startup key. Open Manage BitLocker. Click Duplicate start up key , insert the clean USB drive on which you are going to write the key and then click Save. Changes to boot files This error might occur if you updated the firmware. Using additional recovery information Serial Key Generator Besides the digit BitLocker recovery password, other types of recovery information are stored in Active Directory.

Windows Vista Security. Sign in to vote. You must supply a BitLocker recovery password to start this system. Confirm that the boot changes to this system are authorized. Otherwise, restore the system boot information. According to the BitLocker FAQ, one of the following should trigger the message I'm getting: Unauthorized changing of the BIOS, master boot record MBR , boot sector, boot manager, or other early boot components would cause a failure in the integrity checks and keep the TPM-protected key from being released.

None of that has happened. Any suggestions? Thanks in advance. Monday, February 12, PM. Thursday, March 15, PM. WHat other software is on you system other then windows? AV , disk utilities , and other stuff. Tuesday, February 13, PM. Any thoughts on what to try? Sunday, February 18, AM. Same problem here with a Vaio SZP. Requests key on every boot. Have tried everything MS suggests.

Would love to hear if anyone finds a solution. Saturday, March 3, PM. Tuesday, March 6, AM. Tuesday, March 6, PM.

I have a SZP and I did a full wipe. I am trying to exclude boot file scans now Zebedee 0. Same for me. I left the Sony recovery partition there and used the Vista Ultimate tool to repartition the drive. I naiively assumed if the tool ran without error then the partitioning was okay for bitlocker. Do folks think it is really necessary to remove the recovery partition?

Friday, March 9, PM. Saturday, March 10, AM. You don't have to have the entire hard drive encrypted to test that. Just start encrypting it, then pause encryption then reboot and test. Sunday, March 11, PM. I tested all of them. If this solves your problem please post in thread. Thanks, Daniel. Update: I hibernated the system, and now it's asking me for the key again : This is getting rather tedious! Monday, March 12, PM. I too am having the same problem with recovery at every reboot.

A couple of updates on this Tuesday, March 13, AM. Mr Zebedee, I'd be really grateful if you could explain how to disable the PCR settings since I'd like to try this fix too. It's a real pain having to enter the bitlocker recovery key every reboot. Thanks Mr. This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread.

I have the same question Report abuse. Details required :. Cancel Submit. User Microsoft Agent. Click "Yes". Step 8. This may take several minutes, so please be patient to wait. Step 9. Step The encryption process could take a long time to finish depending on the size of the drive, so please be patient to wait.

If you don't want to wait until the encryption operation is finished, "Shut down the computer when the operation is completed" option is a good idea. Just check it. Home Store Support. Hot Products.