0XC021001B

STATUS_FVE_AUTH_INVALID_APPLICATION (0XC021001B) – Boot hash mismatch with BitLocker

Windows Errors Intermediate 👁 0 views 📅 May 26, 2026

Your bootloader or boot app got modified after BitLocker was enabled. The hash doesn't match, so BitLocker throws this error to prevent unauthorized tampering.

Quick Answer

Boot from your Windows installation media, go to Troubleshoot > Command Prompt, and run bcdedit /set {bootmgr} path \EFI\Microsoft\Boot\bootmgfw.efi, then update BitLocker with manage-bde -lock C: and manage-bde -unlock C: -RecoveryPassword YOUR-KEY.

What’s Actually Happening

BitLocker keeps a hash of every boot component — the boot manager, the boot loader, even the EFI partition itself. This isn't some optional check; it's the core of how BitLocker verifies the system hasn't been tampered with between power-off and power-on. The error 0XC021001B means something changed one of those components. The most common trigger: you installed a Linux distribution alongside Windows, ran a boot repair tool that replaced the EFI boot manager with GRUB, or applied a Windows update that patched bootmgfw.efi but didn't update the hash. I've also seen it happen after a failed Secure Boot update on Lenovo and Dell machines running Windows 10 22H2.

The error itself isn't a disk failure or data corruption. Your BitLocker-encrypted drive is still intact. The problem is that the boot chain no longer passes the integrity check, so Windows refuses to load anything — not even a repair environment — from that drive. You'll need external media to get back in.

Fix Steps

  1. Get the recovery key. Before anything else, find your 48-digit BitLocker recovery key. If you saved it to your Microsoft account, log in at https://account.microsoft.com/devices/recoverykey from another machine. If it's in Active Directory, ask your admin. If you printed it or saved it to a text file, use that. Without this key, this fix won't work.
  2. Boot from Windows installation media. Use a USB stick or DVD with Windows 10 or 11 setup. Press any key to boot from it, then choose your language and click “Repair your computer” at the bottom left, not “Install now.”
  3. Open Command Prompt. Go to Troubleshoot > Advanced Options > Command Prompt. The environment loads, and you'll see X:\Sources>.
  4. Identify the BitLocker drive. Run diskpart, then list volume. Look for your Windows volume — usually C: or D: in this environment, but it might be something else. Note the drive letter. Type exit to leave diskpart.
  5. Restore the boot manager path. This is the main fix. Run: 
    bcdedit /store (drive letter):\EFI\Microsoft\Boot\BCD /set {bootmgr} path \EFI\Microsoft\Boot\bootmgfw.efi
    Replace (drive letter) with the actual EFI system partition, typically S: or Z:. If you're not sure, run diskpart, sel disk 0, list partition, find the 100MB EFI System Partition, sel partition X, assign letter=S, then use S:. This rewrites the BCD entry to point exactly at Microsoft's boot manager, not GRUB or anything else.
  6. Unlock the BitLocker volume. Run manage-bde -unlock C: -RecoveryPassword YOUR-RECOVERY-KEY. Use the exact 48-digit key with hyphens. If it succeeds, you'll see a confirmation. If it fails, double-check the drive letter and key.
  7. Update the BitLocker configuration. Once unlocked, run manage-bde -protectors -disable C:. This disables BitLocker temporarily. Then run manage-bde -protectors -enable C: to re-enable it with the current boot configuration. This forces BitLocker to recalculate the hashes for all boot components.
  8. Reboot. Close the Command Prompt, click “Continue” or “Exit and continue to Windows.” The system should boot normally. BitLocker will prompt you for your recovery key one last time — enter it, and you're done.

If That Doesn’t Work

Sometimes the EFI partition itself is corrupted or has extra files that confuse BitLocker. Try these alternative steps:

  • Rebuild the BCD entirely. In the same Command Prompt, run bootrec /rebuildbcd, then bootrec /fixboot. This scans for Windows installations and rebuilds the boot configuration database from scratch. It often fixes cases where the BCD had multiple OS entries pointing at wrong paths.
  • Check Secure Boot. If you added a custom key or disabled Secure Boot to install Linux, re-enable it in UEFI settings. BitLocker expects Secure Boot to be active — it uses the Secure Boot policy as part of the measured boot chain. On a Dell XPS 13 (9310) running Windows 11, I saw this error after a BIOS update reset Secure Boot to disabled. Re-enabling it fixed the hash mismatch immediately.
  • Decrypt and re-encrypt. As a last resort, if you can unlock the drive, back up your data and run manage-bde -off C: to decrypt fully. Then re-enable BitLocker fresh. It's slow but guaranteed to reset all hash measurements.

Prevention Tip

Don't let any boot manager besides bootmgfw.efi touch your EFI partition. If you dual-boot, install Linux on a separate physical drive and use your motherboard's boot menu (F12 on most machines) to pick the OS, not a boot manager like GRUB. That way you never modify the Windows boot chain, and BitLocker stays happy. Also, every time you apply a Windows feature update (the big ones twice a year), run manage-bde -protectors -enable C: manually afterward — those updates sometimes alter boot files and the hash doesn't get refreshed automatically.

Was this solution helpful?

0XC021001B STATUS_FVE_AUTH_INVALID_APPLICATION BitLocker boot hash mismatch boot application hash error BitLocker recovery Secure Boot and BitLocker bootloader integrity check BitLocker autorun hash Windows boot manager hash mismatch BitLocker after grub install dual boot BitLocker error Windows 10 BitLocker error 0xc021001b fix BitLocker boot hash BitLocker recovery key boot failure disable Secure Boot BitLocker