Why Your PC Asks for a BitLocker Key After Replacing the Motherboard

Quick fix: Enter the recovery key from your Microsoft account at account.microsoft.com/devices/recoverykey, then immediately suspend BitLocker (Manage BitLocker → Suspend protection) before the next reboot — the TPM in the new motherboard needs to re-seal the encryption key against the new boot measurements.

Your motherboard failed (or you upgraded), and after reassembly your PC boots to the BitLocker recovery screen demanding the 48-digit key. The drive isn’t broken — but BitLocker bound your encryption key to the TPM chip on the previous motherboard, and the new motherboard’s TPM has a different signature. The key is gone from the new TPM, so BitLocker falls back to recovery mode.

What causes this

BitLocker can store the encryption key in three places: in the TPM chip on the motherboard (most common, called TPM-only protection), in the TPM with a PIN, or unsealed using a USB startup key. The TPM-based options bind the key to specific PCR (Platform Configuration Register) measurements that include the BIOS/UEFI firmware identity, the secure boot policy, the bootloader, and other early-boot components — all of which change when you replace the motherboard.

Even if the new motherboard uses the same TPM standard (TPM 2.0), it’s a different physical chip with different keys. BitLocker correctly identifies this as a state change and refuses to release the encryption key without manual recovery.

Method 1: Enter recovery key, then re-seal against new TPM

The standard process. Restores access and rebinds the key cleanly.

1. At the BitLocker recovery screen, note the Key ID (the first 8 characters of the recovery key identifier).
2. From a phone or another PC, go to account.microsoft.com/devices/recoverykey. Sign in with the Microsoft account from the original setup.
3. Find the matching Key ID in the list. Note or copy the full 48-digit recovery key.
4. At the BitLocker recovery screen, type the key (dashes are optional). Press Enter.
5. Windows boots to the desktop. You’re back in.
6. Immediately open Start → search → Manage BitLocker.
7. Next to your system drive, click Suspend protection. Confirm to suspend for one reboot.
8. Click Resume protection on the same drive. This forces BitLocker to re-seal the encryption key against the new motherboard’s TPM PCR measurements.
9. Reboot. The PC should now boot directly to the lock screen without prompting for a recovery key.

The single suspend/resume cycle is critical. Without it, every subsequent reboot will keep prompting for recovery.

Method 2: Manage BitLocker via PowerShell when GUI is unavailable

Use this if the BitLocker Control Panel doesn’t respond after the recovery boot, or if you’re managing multiple machines.

1. Open Terminal (Admin).
2. Check the current BitLocker status:

   Get-BitLockerVolume -MountPoint C:

   Look for VolumeStatus: FullyEncrypted; ProtectionStatus: On.

3. List existing protectors:

   (Get-BitLockerVolume -MountPoint C:).KeyProtector

   You should see a TPM protector and a RecoveryPassword protector.

4. Suspend for one reboot:

   Suspend-BitLocker -MountPoint "C:" -RebootCount 1

5. Reboot.
6. After boot, resume protection:

   Resume-BitLocker -MountPoint "C:"

7. Verify status returned to ProtectionStatus: On.

This sequence accomplishes the same as Method 1 via the GUI but is scriptable and faster for IT.

Method 3: Decrypt and re-encrypt (when re-seal fails)

Use when Method 1 or 2 doesn’t prevent future recovery prompts (the new TPM behaves differently than the old, or has known firmware issues).

1. Open Manage BitLocker.
2. Click Turn off BitLocker on the system drive. Confirm.
3. Wait for full decryption. This takes 30 minutes to several hours depending on drive size and speed.
4. Once decryption shows complete, click Turn on BitLocker on the same drive.
5. Choose Save to your Microsoft account as the recovery key backup location — or save to a file in addition.
6. Select Encrypt used disk space only for a faster initial encryption (~10 minutes on an SSD).
7. Confirm and let the new encryption complete. The fresh BitLocker setup binds the key to the new motherboard’s TPM from the start.
8. Reboot. The PC boots normally; recovery prompts don’t appear.

This is slower but guaranteed to work — you’re starting fresh against the current hardware state.

How to verify the fix worked

• Reboot the PC three times. None of those reboots should produce the BitLocker recovery screen.
• Run Get-BitLockerVolume -MountPoint C: in PowerShell. ProtectionStatus: On; VolumeStatus: FullyEncrypted.
• Check that the new recovery key (if you re-encrypted in Method 3) is in your Microsoft account: account.microsoft.com/devices/recoverykey.

If none of these work

If the recovery prompt returns despite suspend/resume cycling, the new motherboard’s TPM may be in a transitional state. Try clearing the TPM: open tpm.msc, click Clear TPM, follow the prompts. After the reboot, run Manage BitLocker → Suspend → Resume again. If the motherboard’s BIOS/UEFI was updated as part of the replacement, that’s a separate trigger for recovery prompts — sometimes you need to wait for the firmware update to settle and complete one full suspend/resume cycle per BIOS revision. For PCs where multiple suspend/resume cycles still produce recovery prompts, the TPM chip itself may be malfunctioning on the new motherboard — verify with the laptop/desktop manufacturer’s diagnostic tools. Persistent failure across known-good hardware indicates either firmware bug requiring update, or Method 3 (full decrypt and re-encrypt) as the durable solution.

Bottom line: A motherboard swap invalidates BitLocker’s TPM-bound key. Enter the recovery key, then suspend and resume protection to re-seal against the new TPM. One cycle, one fix.