BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery
Symptom:
When you boot into your PC, you are presented with the BitLocker recovery screen. You see a screen that says “Preparing BitLocker recovery …” followed by a recovery key entry screen. After you enter the recovery key correctly, you are shown an error “The TPM is defending against dictionary attacks and is in a time-out period”. You hit continue and the system reboots to the BitLocker recovery screen again.
Cause:
In order to provide secure access to your PC, TPM will lock itself out after a few incorrect authentication attempts. These could be due to incorrect PIN entry for BitLocker or incorrect PIN entry for TPM virtual smartcard PIN. For TPM version 1.2, the lockout behavior depends on individual TPM manufacturer. For TPM 2.0, the specification states that the TPM will enter lockout after 32 incorrect attempts.
On a slate PC, BitLocker recovery experience is presented in the Windows Recovery Environment which supports touch. However, since Windows Recovery Environment (WinRE) is a separate operating system from Windows itself when a PC is in TPM lockout, it will boot into WinRE to enable you to enter recovery key. Once the correct recovery key is entered, the system will attempt to boot into Windows which will fail if the TPM is still in lockout, and subsequently results in another BitLocker recovery screen.
Workaround:
To terminate this BitLocker recovery loop, you need to suspend BitLocker from within WinRE. To do so, use the following steps:
- Choose the “Skip this drive” link at the bottom of the page where you are asked to enter the recovery key. You should be presented with a menu that will let you get to a command prompt (The sequence is Advanced options -> Troubleshoot -> Advanced options -> Command prompt).
- Once you have a command prompt, use the following command to check the BitLocker status of the C: drive:
- manage-bde -status c:
- If the status is returned as locked, you’ll need to use the following command to unlock it using your recovery password:
- manage-bde -unlock c: -rp <your 48-digit recovery password>
- Once the drive is unlocked you’ll need to use the following command to suspend protection:
- manage-bde -protectors -disable c:
- Then exit and reboot. The computer should now successfully boot Windows. Once there, use the BitLocker control panel to resume BitLocker protection.
You can reset TPM lockout using tpm.msc. Note that the recovery loop can occur for other reasons such as cases where TPM is disabled or malfunctions. You can still use the above steps to suspend BitLocker and boot Windows in such cases.