Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Show
Prompted for BitLocker recovery key after installing updates to Surface UEFI or TPM firmware on Surface device
In this articleThis article provides workarounds to the issue in which you're prompted for BitLocker recovery key after installing updates to Surface UEFI or TPM firmware on Surface device. Applies to: Surface Studio 1, Surface Pro 4, Surface Pro 3, Surface Book, Surface Laptop (1st Gen), Surface Pro (5th Gen), Surface Book 2 - 13 inch, Surface Pro with LTE Advanced, Surface Book 2 - 15 inch Original KB number: 4057282 Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer. SymptomsYou encounter one or more of the following symptoms on your Surface device:
CauseThis behavior can occur in the following scenario:
Note You can verify the PCR values that are in use on a device by running the following command from an elevated command prompt:
PCR 7 is a requirement for devices that support Connected Standby (also known as InstantGO or Always On, Always Connected PCs), including Surface devices. On such systems, if the TPM with PCR 7 and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. For more information, see "About the Platform Configuration Register (PCR)" at BitLocker group policy settings. WorkaroundWarning BitLocker Drive Encryption helps you protect your organization's sensitive information by encrypting the data. This workaround to temporarily disable BitLocker may put the data at risk. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. Method 1: Suspend BitLocker during TPM or UEFI firmware updatesYou can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying updates to TPM or UEFI firmware by using Suspend-BitLocker. Note TPM and UEFI firmware updates may require multiple reboots during installation. So suspending BitLocker must be done through the Suspend-BitLocker cmdlet and using the To suspend BitLocker for installation of TPM or UEFI firmware updates:
Method 2: Enable Secure Boot and restore default PCR valuesWe strongly recommend that you restore the default and recommended configuration of Secure Boot and PCR values after BitLocker is suspended to prevent entering BitLocker Recovery when applying future updates to TPM or UEFI firmware. To enable Secure Boot on a Surface device that has BitLocker enabled:
To change the PCR values used to validate BitLocker Drive Encryption:
Method 3: Remove protectors from the boot driveIf you have installed a TPM or UEFI update and your device is unable to boot, even when the correct BitLocker Recovery Key is entered, you can restore the ability to boot by using the BitLocker recovery key and a Surface recovery image to remove the BitLocker protectors from the boot drive. To remove the protectors from the boot drive by using your BitLocker recovery key:
Note After disabling the BitLocker protectors from your boot drive, your device will no longer be protected by BitLocker Drive Encryption. You can re-enable BitLocker by selecting Start, typing Manage BitLocker and pressing Enter to launch the BitLocker Drive Encryption Control Panel applet and following the steps to encrypt your drive. Method 4: Recover data and reset your device with Surface Bare Metal Recovery (BMR)To recover data from your Surface device if you are unable to boot into Windows:
To reset your device by using a Surface recovery image, follow the instructions in "How to reset your Surface using your USB recovery drive" at Creating and using a USB recovery drive. |