Tuesday, September 10, 2024
Latest:
ZDNet | Security 

Worried about the Windows BitLocker recovery bug? 6 things you need to know

TH Author
Windows keyboard

Nikolas Kokovlis/NurPhoto via Getty Images

Five years ago, after a particularly embarrassing run of flawed Windows updates, Microsoft vowed to do better. Part of its cleanup program included the introduction of a “release health dashboard” that documents the status of known issues with every update.

Also: You can upgrade your old PC to Windows 11 – even if Microsoft says it’s ‘incompatible’. Here’s how

That transparency is a good thing, to be sure, but sometimes those disclosures raise more questions than they answer. A case in point is the release health dashboard flagged the July 2024 security update as having a known issue affecting PCs running Windows 10 and Windows 11 and multiple versions of Windows Server, see: Device might boot into BitLocker recovery with the July 2024 security update.

On affected PCs and servers, Windows refuses to boot to the normal login screen, instead presenting a blue screen like the one shown here:

bitlocker-recovery-preboot

If you see this screen, something went wrong at startup and you need to prove your identity to recover your data.

Screenshot from Microsoft Support

As the Microsoft report dryly notes: “This screen does not commonly appear after a Windows update.” The advisory does not provide a cause for the issue, but it offers one clue: “You are more likely to face this issue if you have the Device Encryption option enabled in Settings under Privacy & Security -> Device encryption.”

Also: How to install Windows 11 the way you want (and sneak by Microsoft’s restrictions)

After entering the recovery key, Windows starts up normally. If you can’t find the recovery key, your data is lost for good.

That sounds bad, but the story is not nearly as alarming as media coverage has made it sound. I’ve been digging into this issue for the past week. Here’s what I’ve found.

How widespread is this bug?

In typically frustrating fashion, Microsoft provided no details about how common this issue is or what triggers it. Obviously, it doesn’t affect every machine that received the July 2024 security update. (If that were the case, the update would have been pulled immediately and it would have been front-page news.) It hasn’t occurred on any machine I’ve tested, and I haven’t heard from any readers affected by it. When I searched on Microsoft’s community forums, I didn’t find any reports related to this bug.

On Reddit, I did find several network administrators reporting that this issue affected multiple machines in their organization. (See this thread and this one for examples.) It appears all the devices were HP or Lenovo laptops that were managed on corporate networks and received firmware updates as part of the July 2024 Patch Tuesday update release.

When I asked Microsoft for additional details on the scope of the issue, a company spokesperson said: “Microsoft has nothing more to share beyond what is available in the following resources,” providing links to an overview of BitLocker technology (with the Device Encryption section highlighted) and a support article titled “BitLocker drive encryption in Windows 11 for OEMs“.

Why is this happening?

BitLocker is an extremely effective security option that encrypts the contents of an entire drive so that no one can access its contents without your permission. BitLocker works in conjunction with a Trusted Platform Module (TPM) and the Secure Boot feature to securely save a fingerprint of your boot configuration.

When you see the recovery prompt, that usually means that something about the boot process doesn’t look right to BitLocker. So, instead of proceeding to a normal login screen, it prompts you for the recovery key. This can happen for all sorts of reasons that might or might not be related to an outside attacker.

Also: The Windows 10 clock is ticking: 5 ways to save your old PC in 2025 (most are free)

In a separate section of the support article the Microsoft spokesperson pointed me to, there’s a section titled “BitLocker recovery scenarios” that lists no fewer than 15 “examples of common events that cause a device to enter BitLocker recovery mode when starting Windows.” The list includes some actions that are typical of what might happen when an unauthorized person is trying to access data on the device, such as making changes to the boot manager or the NTFS partitions on the disk, disabling the TPM, or moving the BitLocker-protected drive into a new computer.

But you can also trigger BitLocker recovery by upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, which is what I suspect happened here. Firmware upgrades are supposed to suspend BitLocker encryption while they’re installed, but it appears that this isn’t happening on the laptops in question.

What’s the difference between BitLocker and Device Encryption?

Device Encryption is a feature that’s standard on all modern PCs designed for Windows 11. It works with all Windows editions (including Home edition), encrypting the contents of the system drive. It’s on by default but is only activated when you sign in with a free Microsoft account or an Entra ID account. In those cases, the recovery key is automatically saved in the account dashboard for your account.

Also: Microsoft is changing how it delivers Windows updates: 4 things you need to know

BitLocker Drive Encryption is a feature that’s available for business customers, only on Pro, Enterprise, and Education editions of Windows. It allows you to encrypt the system volume as well as secondary drives and removable media, such as USB flash drives. This version of BitLocker includes a complete set of management tools.

Is your system drive encrypted?

The Device Encryption feature is controlled with a simple toggle switch in Windows Settings. On Windows 11, you can find this switch by going to Settings > Privacy & security > Device Encryption.

If this switch isn’t available, then your system, for one reason or another, doesn’t support encryption. One common reason is that the TPM is unavailable; you can find the details by opening the System Information utility (Msinfo32.exe) using an administrator’s credentials. Look for a line labeled Device Encryption Support, at the bottom of the System Summary page.

Have you saved a backup copy of your recovery key?

As mentioned earlier, Windows automatically saves a copy of your recovery key to your Microsoft account. If you’re ever prompted to enter that key, you can find it by opening a browser window (on a PC, Mac, or mobile device) and going to microsoft.com/recoverykey.

Sign in with the account you used for the device where you’re seeing the recovery prompt. That will take you to a page like this one:

bitlocker-recovery-keys

You can find your BitLocker recovery keys here.

Screenshot by Ed Bott/ZDNET

There, you can search for your device name and confirm that the encryption key is accessible. You can also copy that key to a text file, print it out, and store it safely.

If you’d rather use PowerShell to find your encryption key, open PowerShell as an administrator and use the following command:

(Get-BitLockerVolume -MountPoint C).KeyProtector

That process should give you all the information you need.

Should you turn encryption off?

If you’re worried about the possibility that you’ll be locked out of your PC by a BitLocker failure, you can turn device encryption off by going to its page in Settings and sliding the Device Encryption page to the Off position.

Also: The best Windows laptops you can buy: Expert tested and reviewed

However, that’s an extreme solution to a problem that’s unlikely to affect you. If you’ve got a backup copy of your recovery key, you’re in no risk of losing data, and you’re fully protected from having your digital life turned upside down by a thief who steals your laptop and accesses your data files.

READ MORE HERE