Bitlocker Recovery Key required at every startup after bios update

Question

I just wanted to post here to help someone else that might be experiencing this problem. My son's Inspiron 15 7000 automatically updated the bios to 1.5.1. After the update, the laptop asked for the Bitlocker recovery key when starting up the laptop. Luckily, I found the key by logging online to my son's Microsoft Account and looking under Devices.  I entered the key and the laptop booted up successfully. Annoyingly, it would continuously ask for the key at each start up.  I looked through the forums and I found these instructions below. I think if you are experiencing this problem it is worthwhile going into your bios and following these instructions. Restart the system. At the Dell Logo keep tapping F2. You will enter the BIOS screen Under General Select  Boot Sequence. Select  UEFI Select  Apply. Under 'Security' select TPM 2.0 Security  or PTT Select  Enable and click on Apply. Under 'Secure Boot' Select  Secure Boot Enable Select  Enable. Click on Apply. Once these steps are done, restart the system and let us know if you are able to boot into Windows. Unfortunately, the above solution didn't work for me because I had everything in the list enabled already. This is what finally worked for me. I disabled Secure Boot under Boot Options. Then restarted and entered the Bitlocker recovery key and booted up. I then restarted the laptop and pressed F2 to boot into the bios. I re-enabled the Secure Boot option, saved the changes and started up the laptop. This finally worked! I am no longer asked for the recovery key.  Good luck to everyone that has this problem. It is incredibly frustrating and there is not much help from Dell or Microsoft.

jphughan · Answer

@Soho88 Not really sure why that worked, because it shouldn't have. Seeing a Recovery Key prompt the FIRST time after a BIOS update is expected because the way BitLocker works with TPMs is that the decryption key is stored in the TPM, but the TPM will only release it if it determines that nothing about the hardware or firmware environment has changed that might indicate an attempt to compromise the key. If it detects certain types of changes -- including a change to the BIOS version -- it will refuse to release the key, which is why you need the Recovery Key at that point. But if you enter the correct key, the system is supposed to "re-seal" against the new hardware/firmware environment and trust it going forward. The fact that you saw it every time suggests that somehow the TPM wasn't getting updated properly. But UEFI Secure Boot has absolutely nothing to do with a TPM. Secure Boot makes sure that the OS bootloader file that your system starts from came from a trusted publisher (like Microsoft) and has not been altered since Microsoft digitally signed it. That is a useful anti-rootkit security mechanism and therefore is something you should leave on unless you need to run an OS that doesn't support Secure Boot -- but Windows has since Windows 8.

Again, I'm not sure why toggling Secure Boot mattered in this case, but I'm also not sure why the persistent Recovery Key prompt occurred either.

But for future reference, the much simpler way to deal with this is to suspend (not disable) BitLocker before performing a BIOS update. If you install a BIOS update through Dell Update, this option is enabled by default specifically to avoid this issue. Suspending BitLocker means that for only the NEXT reboot, it will be possible to decrypt the drive without the TPM having to provide the key, and if the TPM needs to "re-seal" against a different hardware/firmware environment, that will happen automatically during that single boot. So that way you don't even need to enter the Recovery Key that first time after a BIOS update.

VileRebis · Answer

Thank you so much. You are a lifesaver.

Inspiron

Was this post helpful?