0XC00002DF: SAM needs boot key password fix

What triggers this error

You see error code 0XC00002DF — STATUS_SAM_NEED_BOOTKEY_PASSWORD — right after the Windows logo appears. The system hangs, then throws the error in a blue screen or a black screen with white text. This happens most often after you've run sysprep on a Windows installation and tried to boot it on different hardware. Or after you cloned a drive to a new machine with a different motherboard or disk controller.

I've seen this plenty when someone preps a golden image with sysprep, then deploys it to a laptop with BitLocker or a TPM chip. The SAM database expects a boot key password that doesn't exist anymore. The system can't load user accounts or profiles, so it just halts.

Root cause, plain English

Windows stores user accounts and passwords in a file called the Security Accounts Manager, or SAM. To protect that file, Windows can encrypt it with a boot key — a password that's handed to the system during startup. That boot key is stored in the Registry, and it's tied to the specific machine's hardware (disk, motherboard, TPM).

When you sysprep a system, it clears some of that hardware-specific info. But if you don't use the /generalize switch properly, or if you skip the Sysprep oobe step, the old boot key sticks around. On new hardware, Windows can't decrypt the SAM. So it throws 0XC00002DF and waits for a boot key password it'll never get.

The real fix is to force Windows to regenerate the boot key. That means booting from recovery media, editing the Registry to delete the old key, and letting the system create a new one on next boot.

Fix: Step by step

You'll need Windows installation media — a DVD or USB stick. Boot from it. If you don't have one, download the Media Creation Tool from Microsoft's site and make a USB drive. This takes about 15 minutes.

1. Boot from the installation media. Insert it and restart. Press any key when prompted. On the first screen, pick your language and click Next. Then click Repair your computer in the bottom-left corner. Don't click Install — you're not reinstalling Windows.
2. Open Command Prompt. Click Troubleshoot → Advanced options → Command Prompt. A black window opens.
3. Find your Windows drive. Type diskpart and press Enter. Then type list volume. Look for the volume labeled C: or whatever drive letter Windows is on. Often it's D: in recovery mode. Note the drive letter with the Windows folder. Type exit to leave diskpart.
4. Load the System Registry hive. Type this, replacing D: with your actual Windows drive letter:
   

   reg load HKLM\TempSystem D:\Windows\System32\config\SYSTEM

   Press Enter. You should see The operation completed successfully.
5. Delete the boot key. The boot key is stored in a Registry key. Type these commands one at a time:

   reg delete "HKLM\TempSystem\ControlSet001\Control\Lsa" /v BootKey /f
   reg delete "HKLM\TempSystem\ControlSet001\Control\Lsa" /v LsaPid /f

   Each command should return The operation completed successfully. If a key doesn't exist, that's fine — move on.
6. Unload the Registry hive. Type:

   reg unload HKLM\TempSystem

   Press Enter. You'll see The operation completed successfully.
7. Reboot. Close the Command Prompt. Click Turn off your PC or restart. Remove the installation media when it restarts.

On next boot, Windows detects the missing boot key and creates a new one. The SAM gets decrypted fresh. You should see the login screen or the Out-Of-Box Experience (OOBE) if sysprep left it that way.

If it still fails

Sometimes deleting those two keys isn't enough. Here's what I'd check next:

• Did you see "The system cannot find the file specified" when deleting? That means the Registry path is wrong. Use reg query "HKLM\TempSystem\ControlSet001\Control\Lsa" to list all values. Look for anything with "Boot" in the name. Delete that specific value.
• Is the SAM file corrupt? Try booting from recovery media and running chkdsk D: /f (replace D: with your drive). Corruption on the disk can cause this error even with a good boot key.
• Did you sysprep with BitLocker enabled? Big mistake. BitLocker ties the boot key to the TPM. If you cloned to new hardware, the TPM is different. You'll need to disable BitLocker from the recovery console with manage-bde -unlock D: -RecoveryPassword and then manage-bde -off D:. Then run the Registry fix again.
• System Restore or a backup. If nothing works, restore from a backup taken before the sysprep or clone. That's your fallback.

This error is a pain, but it's fixable. The Registry fix above works on Windows 10 and 11, both Home and Pro. I've used it dozens of times. Take it slow, double-check your drive letter, and you'll be back up.