Why BitLocker Drive Encryption might block your computer from starting

If you use BitLocker Drive Encryption on a computer that has version 1.2 or higher of the Trusted Platform Module (TPM) security hardware (a special microchip in some newer computers that supports advanced security features), the TPM checks the system during startup for conditions that could indicate a security risk. These conditions could include disk errors, changes to the basic input/output system (BIOS), changes to other startup components, or evidence that the hard disk is being started in a different computer.

If the TPM detects such a condition, BitLocker will not unlock the drive with Windows installed on it (or any other BitLocker-encrypted drives on the computer), and will enter a recovery mode that requires the BitLocker recovery password to unlock it.

Warning

  • It is very important to create this recovery password when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files.

If you use BitLocker on a computer that doesn’t have the TPM version 1.2 or higher, BitLocker will not check for changes to the startup environment. However, you will still need the recovery password in case your BitLocker startup key doesn’t unlock the system drive Windows is installed on.

Notes

  • Some BitLocker features and settings can be enabled by Group Policy settings.

  • Assistive technology software that runs on Windows, such as screen-reading software, cannot read BitLocker startup screens because they are displayed during BIOS startup and before Windows runs. This includes screens used when you type a PIN or recovery password, and any BitLocker error messages.