0XC000028D

Fix STATUS_NO_RECOVERY_POLICY (0XC000028D) on Windows 10/11

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 31, 2026

This error hits when BitLocker can't find a recovery policy on a domain-joined or Azure AD machine. The fix is setting the right group policy or clearing a stale TPM.

What triggers STATUS_NO_RECOVERY_POLICY (0XC000028D)?

You'll see this error right after POST, before Windows even starts loading. The screen shows STATUS_NO_RECOVERY_POLICY (0XC000028D) and a message that reads "There is no encryption recovery policy configured for this system." It's almost always on a machine that's joined to a domain or Azure AD, and BitLocker is enabled but the group policy that specifies where to store or retrieve the recovery key is misconfigured or missing. I've also seen it after a TPM firmware update or a motherboard swap — the TPM chip still has old keys and the policy can't match them.

Root cause in plain English

BitLocker requires a recovery policy to tell it where to save or find the recovery key. On domain-joined machines, that's usually AD. On Azure AD machines, it's the cloud. If that policy isn't set — or if the TPM has a stale key that doesn't match the current policy — the boot process halts. The OS literally can't decrypt the drive because it doesn't know where to look for the backup key.

The culprit here is almost always a group policy setting called "Choose how BitLocker-protected operating system drives can be recovered." If that policy isn't configured or if the "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives" checkbox is unchecked, you get this error. For Azure AD devices, the policy must point to Azure AD, not local Active Directory.

The fix: step by step

Don't bother wiping the drive or reinstalling. That's overkill. The real fix is either adjusting group policy or clearing the TPM so BitLocker can re-sync.

Step 1: Boot into recovery or another OS

You can't fix this from a broken boot. You'll need a Windows installation USB or a recovery drive. Boot from it, choose "Repair your computer" > "Troubleshoot" > "Advanced Options" > "Command Prompt."

Step 2: Suspend BitLocker (if possible)

In the command prompt, run:

manage-bde -status C:
manage-bde -protectors -disable C:

If this fails with an access denied, skip to Step 4. Sometimes the TPM won't release the key, and you'll need to clear it.

Step 3: Fix the group policy

If you can get back into Windows (maybe after suspending), open gpedit.msc and navigate to:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Double-click "Choose how BitLocker-protected operating system drives can be recovered". Set it to Enabled. Then check "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives". Also configure the recovery key path — it should point to your domain or Azure AD tenant.

For Azure AD machines, use the local group policy editor (not domain GPO) and set the recovery key backup to Azure AD. Run gpupdate /force after making changes.

Step 4: Clear and reinitialize the TPM

If you can't suspend BitLocker or the policy fix doesn't take, the TPM itself is holding a stale key. From the WinPE command prompt, run:

tpmtool clear

or for older systems:

tpm.msc

and choose "Clear TPM" from the Actions menu (you'll need to reboot into BIOS to accept the clear). After the TPM is cleared, reboot, and Windows will re-initialize it. BitLocker will then ask for the recovery key — if you stored it in AD or Azure AD, you can retrieve it there. If you didn't, you're stuck. That's why step 3 matters.

Step 5: Re-enable BitLocker protectors

Once the policy is fixed and the TPM is clean, boot back into Windows. Open an admin command prompt and run:

manage-bde -protectors -enable C:

Then check status with manage-bde -status. It should now show your drive as protected with the TPM and recovery key backed up.

What to check if it still fails

If you're still staring at the error, here's what I'd check next:

  • Is the machine actually domain-joined or Azure AD joined? If it's a workgroup machine, BitLocker doesn't need a recovery policy — but the error can still pop up if the TPM has a stale key. In that case, just clear the TPM and disable BitLocker, then re-enable it fresh.
  • Are you using a local account vs. Microsoft account? For non-domain machines, you need to save the recovery key to your Microsoft account or a USB stick. The error implies no policy is configured — you may have to do a full BitLocker disable, backup the key manually, then re-enable.
  • Check Event Viewer under Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management. Look for event ID 845 or 846 — they'll tell you exactly why the policy check failed.
  • Third-party disk encryption software? If you have VeraCrypt or something else, uninstall it before relying on BitLocker. They clash hard.

One last thing: if the machine came from a corporate environment and you wiped it without removing the BitLocker keys, the TPM still holds them. You'll need to clear the TPM from BIOS (not Windows) and do a clean install. That's rare, but I've seen it.

Was this solution helpful?

0XC000028D STATUS_NO_RECOVERY_POLICY BitLocker recovery policy Windows 10 0xc000028d Windows 11 BitLocker error group policy BitLocker TPM recovery key no encryption recovery policy 0xc000028d fix BitLocker startup error domain recovery policy Azure AD BitLocker