← Windows boot error index

BitLocker Recovery Key Loop After an Update: How to Unlock and Boot

You need your 48-digit BitLocker recovery key. There is no way around it. If you don't have it, sign in at account.microsoft.com/devices/recoverykey (personal accounts) or ask your IT admin / check Azure AD / Active Directory (work devices). Without the key the data is unrecoverable by design — that is what BitLocker is for.
The fast answer. After certain Windows or Secure Boot updates, the TPM measurement (PCR profile) changes and BitLocker can ask for the recovery key on every boot. First, type your 48-digit recovery key at the blue screen to get in. If it loops on every restart, stop the loop by re-binding the TPM protector from an admin Command Prompt inside Windows (or WinRE):
manage-bde -protectors -delete C: -type TPM
manage-bde -protectors -add C: -tpm
This removes the stale TPM binding and creates a fresh one tied to the new firmware measurements. Reboot — it should boot straight to Windows.

Why this happens

BitLocker seals the drive's key to the TPM and validates boot-time measurements (PCR values), including Secure Boot state (PCR7) and firmware configuration. A Windows cumulative update, a UEFI/firmware update, a Secure Boot certificate update, or a BIOS change alters those measurements. BitLocker sees the change as a possible tamper and falls back to recovery mode. Normally this is a one-time prompt; if the configuration keeps the TPM binding in a state BitLocker doesn't trust, it loops.

Step-by-step fix

Step 1 — Get in with the recovery key

At the BitLocker recovery screen, type your 48-digit recovery key to boot into Windows this one time. If you can't reach Windows, you can also unlock from WinRE — see Step 4.

Step 2 — Re-bind the TPM protector (stops the loop)

Open Command Prompt as Administrator in Windows and run:

manage-bde -protectors -delete C: -type TPM
manage-bde -protectors -add C: -tpm

Confirm protection and a healthy TPM protector:

manage-bde -status C:
manage-bde -protectors -get C:

Reboot and test. This re-seals the key to the current, post-update TPM measurements.

Step 3 — Alternative: suspend and resume protection

If re-binding alone doesn't hold, suspend BitLocker, let it re-seal on the next boot, then resume:

manage-bde -protectors -disable C: -RebootCount 1
manage-bde -protectors -enable C:

Suspending temporarily stores the key unsealed so the next boot doesn't prompt; enabling re-protects it against the new measurements.

Step 4 — If Windows won't start at all: unlock in WinRE

Boot a Windows install USB → Repair your computer → Troubleshoot → Advanced options → Command Prompt, then unlock the drive with your recovery password (the 48-digit key):

manage-bde -unlock C: -RecoveryPassword 123456-123456-123456-123456-123456-123456-123456-123456

Replace the digits with your real 48-digit key and C: with the BitLocker drive letter shown in WinRE. Once unlocked you can run Startup Repair or the re-bind commands above. To stop the recovery prompt while you repair other boot issues, you can also fully decrypt-pause by suspending: manage-bde -protectors -disable C: (re-enable when done).

Step 5 — Address the root cause

If the loop traces to a specific bad update, uninstall it from WinRE → Advanced options → Uninstall Updates. On managed machines, the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" (PCR7 handling) can drive these loops — have IT review it. Keep your recovery key saved before re-applying firmware/Secure Boot updates.

Data safety: Do not run format, clean, or a fresh Windows install to "get past" BitLocker — that destroys the encrypted data permanently. The only legitimate way in is the recovery key. Keep a copy of the 48-digit key in a safe place before applying BIOS/firmware/Secure Boot updates, since those are exactly what trigger the prompt.
GRAM tip: Once you're past the recovery prompt and back at the desktop, plug in GRAM — a free portable repair toolkit that runs from a USB inside Windows. Its diagnostics show exactly which update or firmware change triggered the loop, and the AI agent can walk the manage-bde re-bind commands with you so the prompt doesn't come back.
Download GRAM free See AI pricing →

FAQ

Can I fix this without a second working computer?

Yes — as long as you have your recovery key. You can unlock and re-bind entirely from Windows Recovery on the affected PC, or from the desktop once the key gets you in; no second computer is needed. What no tool can do is bypass BitLocker without the 48-digit key.

I lost my BitLocker recovery key — can I still get in?

Only if it's stored somewhere. Check account.microsoft.com/devices/recoverykey for personal Microsoft accounts, or your organization's Azure AD / Active Directory / Intune (or ask IT) for work devices. Without the key, the data cannot be recovered — that is BitLocker working as designed, not a fault to defeat.

Why did an update trigger the recovery prompt?

BitLocker ties the drive key to TPM boot measurements including Secure Boot state (PCR7). A Windows, firmware, BIOS, or Secure Boot update changes those measurements, so BitLocker drops to recovery as a tamper safeguard. Re-binding the TPM protector re-seals the key to the new, trusted measurements.

Is it safe to suspend BitLocker to stop the loop?

Temporarily, yes. manage-bde -protectors -disable C: keeps the data encrypted but stores the key unsealed so boot doesn't prompt — useful while you repair. Re-enable protection with manage-bde -protectors -enable C: as soon as you're done so the drive isn't left effectively unlocked.

Related: 0xc000000e boot error · INACCESSIBLE_BOOT_DEVICE · All Windows boot error codes