Windows 10 Secure Boot Bug Triggers BitLocker Key Recovery Issue
What Is the BitLocker Recovery Mode Bug?
The KB4535680 update was released to Windows systems in January 2021.
The original update was a security update designed to resolve an issue with Secure Boot, a security feature that blocks untrusted operating systems from booting on your computer. Its primary role is to protect against dangerous malware types, such as rootkits and bootkits.
However, a side effect of the KB4535680 security update was the accidental introduction of a bug affecting BitLocker. When triggered, it causes the BitLocker recovery mode function to run, which requests your BitLocker recovery key.
You can read the full Microsoft Security Update blog for more information.
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible . . . Specifically, setting this policy with PCR7 omitted, will override the Allow Secure Boot for integrity validation Group Policy. This prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when the firmware is updated.
The BitLocker recovery mode bug is affecting multiple Windows versions:
- Windows Server 2012 x64-bit
- Windows Server 2012 R2 x64-bit
- Windows 8.1 x64-bit
- Windows Server 2016 x64-bit
- Windows Server 2019 x64-bit
- Windows 10, version 1607 x64-bit
- Windows 10, version 1803 x64-bit
- Windows 10, version 1809 x64-bit
- Windows 10, version 1909 x64-bit
If you encounter this error, you should consult the Microsoft BitLocker recovery key guide.
BitLocker Recovery Mode Bug Workaround
There is a workaround available for the BitLocker recovery mode, but it depends on the device configuration. Specifically, how the device’s Credential Guard is configured and whether you’ve already installed the update.
If the device does not have Credential Guard enabled and the update isn’t yet installed, you can run the following commands from an elevated Command Prompt to “suspend BitLocker for 1 reboot cycle:”
Manage-bde –Protectors –Disable C: -RebootCount 1
You can run the command, install the security update (which includes other useful security fixes), then reboot your system without encountering the BitLocker recovery mode.
If the device does have Credential Guard installed and the update isn’t yet installed, it may require multiple restarts. You can run a different command that increases the BitLocker suspension count to three:
Manage-bde –Protectors –Disable C: -RebootCount 3
Either way, you don’t have to panic if you encounter the BitLocker recovery mode bug. Microsoft is also working towards a bug fix for this issue.