Devices might boot into BitLocker recovery with the July 2024 security update

Topic

New Reply

Devices might boot into BitLocker recovery with the July 2024 security update

Status Investigating

Affected platforms Client Versions Message ID Originating KB Resolved KB Windows 11, version 23H2 WI832341 KB5040442 – Windows 11, version 22H2 WI832342 KB5040442 – Windows 11, version 21H2 WI832343 KB5040431 – Windows 10, version 22H2 WI832344 KB5040427 – Windows 10, version 21H2 WI832345 KB5040427 – Server Versions Message ID Originating KB Resolved KB Windows Server 2022 WI832346 KB5040437 – Windows Server 2019 WI832347 KB5040430 – Windows Server 2016 WI832348 KB5040434 – Windows Server 2012 R2 WI832349 KB5040456 – Windows Server 2012 WI832350 KB5040485 – Windows Server 2008 R2 SP1 WI832351 KB5040497 – Windows Server 2008 SP2 WI832352 KB5040499 –

After installing the July 2024 Windows security update, released July 9, 2024 (the Originating KBs listed above), you might see a BitLocker recovery screen upon booting your device. This screen does not commonly appear after a Windows update. You are more likely to face this issue if you have the Device Encryption option enabled in Settings under Privacy & Security -> Device encryption. Resulting from this issue, you might be prompted to enter the recovery key from your Microsoft account to unlock your drive. Workaround: Your device should proceed to start up normally from the BitLocker recovery screen once the recovery key has been entered. You can retrieve the recovery key by logging into the BitLocker recovery screen portal with your Microsoft account. Detailed steps for finding the recovery key are listed here: Finding your BitLocker recovery key in Windows. Next steps: We are investigating the issue and will provide an update when more information is available.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

lmacri, pandarunnerpt

Reply | Quote

Replies

Even if Bitlocker is off for all drives, one is going to get the Bitlocker recovery screen? Naturally one won’t have a recovery key.

From posts online, it appears that Win10 2022H2 security update KB5040427 is causing all kinds of havoc, not limited to Bitlocker recovery screen.

3 users thanked author for this post.

NaNoNyMouse, DrBonzo, fernlady

Reply | Quote

I wondered about that too. My BitLocker is also turned off.

Windows 11 Pro
Version 23H2
OS build 22631.5335

1 user thanked author for this post.

DrBonzo

Reply | Quote

Bitlocker can be on or off but unless you also have “Device Security” enabled, you are less likely to be affected by this issue.

If you don’t see “Device Security” under Privacy & security, you probably aren’t affected regardless of your Bitlocker status.

You can find out whether your system supports “Device Security” by opening System Information with elevated privileges (Run As Admin) and scrolling to the bottom.

Reply | Quote

CORRECTION: Meant “Device Encryption” not “Device Security”

Reply | Quote

I looked even though I knew Bitlocker was not enabled. What does THIS mean???

Device Encryption Support Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not Modern Standby

Reply | Quote

No.  Drive encryption or Bitlocker has to be enabled.

Now you could/or someone could have logged into that computer with a Microsoft account, turned on encryption and you didn’t realize it.  I’ve seen that happen.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

DrBonzo, fernlady

Reply | Quote

Can’t users just boot into safe mode and disable ‘Device Encryption’ ?

It seems that enabling BitLocker brings more trouble than benefits.

2 users thanked author for this post.

NaNoNyMouse, DrBonzo

Reply | Quote

Whenever a device has booted demanding a recovery key it WANTS a recovery key.  Now I have forced a reboot and the next time it didn’t ask for a recovery key.  To disable encryption you have to have a running machine that I’ve found.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

DrBonzo, Alex5723

Reply | Quote

cmar6 wrote:

Even if Bitlocker is off for all drives, one is going to get the Bitlocker recovery screen?

I don’t think so.

Windows 10 Pro 22H2 with KB5040427 installed, BitLocker off.
No problems.

2 users thanked author for this post.

DrBonzo, cmar6

Reply | Quote

Oh dear. We desperatly need more details here!

Reply | Quote

I’ll have more in Monday’s newsletter but if you don’t have encryption enabled, you won’t get a request for the recovery key.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Peter-B UK, DrBonzo

Reply | Quote

It may seems related to Updating Microsoft Secure Boot keys | Windows IT Pro blog
Our Win11 users got that bitlocker recovery keys but found a specific user who hasn’t gotten it due the restart has not been performed, running that commands on the first article to enable UEFI secured boot CA update, restarted the laptop and no bitlocker key.
Our devices are Lenovo L13 and X13

Reply | Quote

The july update has two CVEs that touch secure boot.  Anytime Microsoft touches that code in patching it can trigger this in some machines.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Is it too early to know if the “bitlocker recovery” boot issue affects W10 client systems that do not have bitlocker enabled. What happens for systems that have not enabled bitlocker and have only used a local account?

Reply | Quote

Won’t kick it.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

cmar6, DrBonzo

Reply | Quote

Applied the July CU KB5040427 for Windows 10 22H2 back on Jul 14 on 7 different PC’s that all use local accounts, do not have Bitlocker enabled, and do have Device Security enabled.

None of them have encountered a Bitlocker recovery screen during boot up!

4 users thanked author for this post.

pandarunnerpt, Peter-B UK, DrBonzo, cmar6

Reply | Quote

I didn’t see an option to turn on or off “Device Security” though there was one for “Core Protection Services”, which was “off” or perhaps it’s “Core Isolation Details.”

Reply | Quote

From Start, open System Information with elevated privileges (Run As Admin). Scroll to the bottom and see what the Value of Device Encryption Support is.

Reply | Quote

Device security is not drive encryption.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

fernlady

Reply | Quote

@SB and others:

Trying to be VERY clear:

Windows 10 22H2 Pro. Sys Info shows:

Device Encryption Support Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not Modern Standby

Bitlocker not enabled.

Install or Hide this update for this or any other reason?

Thanks.

Reply | Quote

rebop2020 wrote:

Install or Hide this update for this or any other reason?

You can install the update.
Take a full image copy.

Reply | Quote

We’re at DEFCON-2 level for the July Updates. Susan has not approved them yet.
Her advice on install/hide is usually issued when she changes the DEFCON level.
There is no need to panic at this point!

1 user thanked author for this post.

DrBonzo

Reply | Quote

OK. Gonna block it. This seartch shows lots more folks with other issues:

https://www.google.com/search?q=KB5040427+issue+OR+problem&client=firefox-b-1-e&sca_esv=76c8920d8a4a7859&sxsrf=ADLYWIKbxXJGcSJQsyCu-G1Tecgcm5tjTA%3A1721843151465&ei=zz2hZo3kG8iu5NoPgs228A0&ved=0ahUKEwjNh5vLncCHAxVIF1kFHYKmDd4Q4dUDCA8&uact=5&oq=KB5040427+issue+OR+problem&gs_lp=Egxnd3Mtd2l6LXNlcnAiGktCNTA0MDQyNyBpc3N1ZSBPUiBwcm9ibGVtMgQQIxgnMggQABiABBiiBDIIEAAYgAQYogQyCBAAGIAEGKIESPkSULcJWMQQcAF4AJABAJgBiwKgAe8CqgEFMC4xLjG4AQPIAQD4AQGYAgKgAoIDmAMAiAYBkgcFMC4xLjGgB4AJ&sclient=gws-wiz-serp

And understood Defcon 2 which is why I sought clarity. “Usually” there is a change by now in the month or an update that would not have me wondering “for sure” what is the current thought on the update.

 

1 user thanked author for this post.

cmar6

Reply | Quote

(hint if you look at the calendar we have extra time this month)

Haven’t approved it.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Um, my pause update is set to go off August 1.

Windows 11 Pro
Version 23H2
OS build 22631.5335

Reply | Quote

Susan Bradley wrote:

(hint if you look at the calendar we have extra time this month)

By that, I believe Susan meant that there are 5 Tuesdays this month. Makes me believe that she might approve the monthly patches on or about the last Tuesday of July, the 30th.

Reply | Quote

I hope so, fingers crossed.

Windows 11 Pro
Version 23H2
OS build 22631.5335

Reply | Quote

Doesn’t take too much to point that out. Perhaps in the newsletter.

For me, my notice to update always comes the 4th Wednesday of the month. So did not think to check if there were 5 it is such a rarity. But also rare the “decision” to go or hide does not come before my notice to update.

Its hidden. I’ll be prompeted to do the other three tomorrow. And then if an all clear comes, I can simply unhide and update.

 

 

Reply | Quote

BTW, just took a look forward, and there are 5 Tuesdays in October this year and 5 Tuesdays in December this year. The 5th Tuesday in December is New Year’s Eve day. 

Reply | Quote

Susan Bradley wrote:

stall or Hide this update for this or any other reason? Thanks.

Thank you for responding. So my bitlocker is off and have never been on.

Device security says it is not supported, there is nothing to turn on or off there.

Encryption gives a long list of reasons why it “failed”, tpm cannot be used,  PCR-7 binding is not supported etc.

I do use a microsoft account

I am on a desktop pc. Am I in danger?

Reply | Quote

Nope.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you very much!

Reply | Quote

“This search shows lots more folks with other issues”

Windows10Forum also shows that Win10 and Win 11 users are having big issues, including losing Windows installation, and not just from Bitlocker.
Since MS is unlikely to fix this till after 8/2024, what about delaying at least till 8/2024 Security updates?

Reply | Quote

Every month someone will have an issue somewhere.  I haven’t yet approved updates, but I’m not foreseeing that I will tell you not to update.  Remember my motto — HAVE A BACKUP – if you have a backup you can recover from a security issue as well as an update issue.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Hi all

I have two Dell Windows 11 (home version) PC’s. Secure boot for both machines is set to on. Bit locker is not enabled for any of the drives on both machines. Am I correct please in thinking that I shouldn’t have an issues with this update? Thanks

I would back up the PC’s before applying any updates but could do without all the hassle to be honest.

I also looked to see whether the bit locker code was available on https://account.microsoft.com/devices/recoverykey but the website reports “You don’t have any BitLocker recovery keys uploaded to your Microsoft account.” That makes sense as I never activated bit locker on either machine as not a great fan of it on desktop machines (but I can see the need for it on laptops taken out of the home).

Thank you

Reply | Quote

Correct, it will not trigger a recovery key.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Peter-B UK

Reply | Quote

If there is more than one user for a machine, will each user have to enter the BitLocker recovery key the first time they log on?

Reply | Quote

No.

Reply | Quote

I have 3 windows 10 (22H2) computers, 2 of which have only one local account and no Microsoft Accounts, and one of which has only one Microsoft Account and no local accounts. All 3 are refurbished, and while I have never encrypted a disk on any of the computers I was curious if anyone else had before I took ownership and if there might be a bitlocker key floating around as a remnant of the refurbishing process.

I opened a command prompt as an administrator (in the lower left search box type in ‘command prompt’ and then select the admin option) and typed the following command:

manage-bde -protectors C: -get

and then pressed Enter (note the spaces immediately preceding the last 2 hyphens). On all 3 computers this returned “Error: No key protectors found” which I interpret as a statement that no bitlocker keys exist.

Two questions: 1) can anyone verify that my interpretation that no bitlocker keys exist is correct? and 2) I could find no reference to this method of finding encryption keys on any MS web page, and I’m wondering why since the only method they describe requires having a Microsoft Account (or looking for old printouts or flash drives that might have the encryption key on it), which leaves folks who only have local accounts SOL.

Reply | Quote

You didn’t specify Pro or Home but I’ll assume you don’t currently have Bitlocker enabled. If you enable Bitlocker, you should be able to backup the recovery key. You can then turn off Bitlocker if you wish. Keep in mind that recovery keys are only necessary when Bitlocker is enabled. It’s best to have a backup of the key anytime Bitlocker is enabled (intentionally or not).

Reply | Quote

All are Pro and all have bitlocker disabled. My concern is that at some time in the past bitlocker was enabled by some other entity since all 3 are refurbished. And, although I’ve not heard of any cases where an MS update has turned bitlocker on, I want to be prepared for that to happen since we are dealing, after all, with MS; if bitlocker does get turned on I want to know if any recovery keys have ever been generated, which would be especially important for the 2 computers without a Microsoft Account.

Reply | Quote

Since you now have Bitlocker disabled, it doesn’t matter about keys that may have been generated in the past. If Bitlocker gets turned on in the future, you will be able to find and backup the recovery key that is relevant at that time.

Reply | Quote

I have NEVER seen Windows update enable Bitlocker.  Ever.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

DrBonzo

Reply | Quote

Windows 10 22H2 – Local Microsoft Account – Windows Updates paused until 8/13/24

I am a general user without any PC technical knowledge or expertise.  I follow your instructions if they are easy and don’t require expert technical knowledge.

Drive Encryption is ON.  I have the option to turn it OFF.

BitLocker is ON.  I have the option to turn it OFF.

I have my BitLocker Recovery Key

Should I turn BitLocker OFF and/or turn Drive Encryption OFF (after Susan Bradley changes the DEFCON to ok to allow July Windows updates)?

Is this a simple matter of just turning BitLocker OFF and/or Drive Encryption OFF to install the July Windows Updates?

If I turn BitLocker OFF and/or Drive Encrypton OFF, will it be easy to turn them back ON after the July Windows updates are installed, without having to go through any challenging technical procedure to turn them back ON?

I’m looking forward to the next Susan Bradley advice about this issue.

Thank you for your help.

Reply | Quote

If you know where your recovery key is, and you want bitlocker, I wouldn’t turn it off merely to install updates.  In my personal testing it has not triggered asking for the recovery key.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Mike W

Reply | Quote

I have my BitLocker Recovery Key from my Microsoft Account.  What method is used if I need to provide my BitLocker Recovery Key?  Will I simply be asked to type my 48-digit Recovery Key or is some other technical method used to provide the Recovery Key?

Reply | Quote

Just manually type it in.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you, Susan.

Reply | Quote

From what I’ve read, BitLocker only comes with 11 Pro and not on Home, correct?  If that’s true, here’s the strange thing that happened to my wife’s laptop. Her system information screen says that she has Windows 11 Home, but last week, when she turned her laptop on (she doesn’t have updates set to automatically be installed), she had the blue BitLocker screen come up and tell her that she needs to get the key from her Microsoft account. She goes to her MS account, gets the key, enters it, and everything is now all well and good and her laptop is functioning normally.

How did that happen if she doesn’t have the Pro version?

Reply | Quote

Check under Settings, Privacy & Security, Device Encryption. If Device Encryption is enabled, then Home’s hidden Bitlocker is on.

1 user thanked author for this post.

funhitman

Reply | Quote

Bitlocker comes on Home as well, it’s called “device encryption”.

We know Windows automatically enables BL and encrypts disks on new machines that meet certain (low) specs. Yours is one of the many Home machines silently encrypted by Windows.

cheers, Paul

1 user thanked author for this post.

funhitman

Reply | Quote

Thanks, Paul!  Now I know where to look.

Reply | Quote

Hi Paul:
I recently bought a retail Windows 11 Pro 23H2 on usb and installed it on a machine built for me. Bitlocker is shown as OFF for all disks. I assume I can rely on that?

Reply | Quote

Yes it is reliable.

You can double check with our script.

cheers, Paul

Reply | Quote

Win 11 Pro 23 H2 updated successfully. However the actual updates surprised me:
KB50400527 2024-07 Cumulative Update Preview for Windows 11 23H2
and
KB2267602 Security Intelligence update for MS Defender
Why would the first update be a Preview?

Another anomaly: Windows update has “Get updates immediately” but just below
“Delay 1 week”.

Reply | Quote

cmar6 wrote:

Why would the first update be a Preview?

Another anomaly: Windows update has “Get updates immediately”

You answered your own question there. Even previews are cumulative.

Reply | Quote