Five years ago, Microsoft made a commitment to improve its update process following a series of problematic Windows updates. As part of this initiative, the company introduced a “release health dashboard” designed to provide users with insights into the status of known issues associated with each update. While this transparency is commendable, it can sometimes lead to more questions than answers.
A recent example involves the July 2024 security update, which has been flagged on the release health dashboard due to a known issue affecting devices running Windows 10, Windows 11, and various versions of Windows Server. Specifically, some users have reported that their devices may boot into BitLocker recovery mode following the installation of this update. Instead of reaching the familiar login screen, users are confronted with a blue screen prompting them to verify their identity to recover their data.
As noted in Microsoft’s advisory, this situation is not typical following a Windows update. However, the report does not specify the cause of the issue. It does hint that users with the Device Encryption option enabled may be more likely to encounter this problem.
How widespread is this bug?
In a rather frustrating turn, Microsoft has not provided details regarding the prevalence of this issue or its triggers. It is clear that not every device receiving the July 2024 security update is affected; otherwise, the update would have been retracted immediately. In my own testing, I have not encountered this problem, nor have I received reports from readers experiencing it. A search through Microsoft’s community forums yielded no related discussions.
However, on platforms like Reddit, several network administrators have reported that this issue has impacted multiple devices within their organizations, particularly HP and Lenovo laptops managed on corporate networks that received firmware updates during the July 2024 Patch Tuesday release. When I reached out to Microsoft for further clarification, a spokesperson indicated that they had no additional information beyond what was already available in their resources.
Why is this happening?
BitLocker serves as a robust security feature, encrypting the entire drive to prevent unauthorized access. It operates in conjunction with a Trusted Platform Module (TPM) and Secure Boot to securely save a fingerprint of the boot configuration. When users encounter the recovery prompt, it typically indicates that something about the boot process appears unusual to BitLocker, prompting the request for a recovery key instead of proceeding to the login screen. This can occur for various reasons, not all of which are linked to external threats.
Microsoft’s support article outlines numerous scenarios that could trigger BitLocker recovery mode, including changes to the boot manager or NTFS partitions, disabling the TPM, or transferring a BitLocker-protected drive to a new computer. Notably, upgrading critical early startup components like BIOS or UEFI firmware can also initiate this recovery process. It seems that this may be the case for the affected laptops, as firmware upgrades are intended to suspend BitLocker encryption during installation, but this may not have occurred as expected.
What’s the difference between BitLocker and Device Encryption?
Device Encryption is a feature available on all modern PCs designed for Windows 11, functioning across all Windows editions, including Home. It encrypts the system drive by default but activates only when users sign in with a Microsoft account or an Entra ID account. In these instances, the recovery key is automatically saved in the account dashboard.
On the other hand, BitLocker Drive Encryption is reserved for business customers and is available only on Pro, Enterprise, and Education editions of Windows. This version allows for the encryption of the system volume, secondary drives, and removable media, accompanied by a comprehensive set of management tools.
Is your system drive encrypted?
To check if Device Encryption is enabled, users can navigate to Settings > Privacy & security > Device Encryption. If the toggle switch is absent, it may indicate that the system does not support encryption, often due to the unavailability of TPM. Users can verify this by accessing the System Information utility (Msinfo32.exe) and looking for “Device Encryption Support” in the System Summary.
Have you saved a backup copy of your recovery key?
Windows automatically saves a copy of the recovery key to the user’s Microsoft account. If prompted for this key, users can retrieve it by visiting microsoft.com/recoverykey and signing in with the account linked to the affected device. This will direct them to a page where they can search for their device name and confirm the accessibility of the encryption key. Additionally, users can opt to use PowerShell to locate their encryption key by executing the command:
(Get-BitLockerVolume -MountPoint C).KeyProtector
Should you turn encryption off?
For those concerned about potential lockouts due to BitLocker issues, disabling device encryption is an option. This can be done by navigating to the Device Encryption settings and toggling it off. However, this is a drastic measure for a problem that is unlikely to affect most users. As long as a backup copy of the recovery key is stored safely, individuals can rest assured that their data remains secure while enjoying the protective benefits of encryption.
