January’s KB4535680 update (intended to patch Secure Boot DBX) is causing some devices to go into BitLocker recovery mode. Because BitLocker is often used for fleets of Windows machines, this issue can cause major frustration for system administrators.
Microsoft provides information about this update, which includes an explanation of the BitLocker issue. Microsoft writes, “If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible.” Microsoft also gives a couple workarounds for this issue, but these options are only available before deploying the update.
Read the full documentation before installing Windows update KB4535680 so you can ensure your BitLocker Group Policy and Credential Guard are configured to avoid any complications. Unfortunately, there does not seem to be a quick solution to mitigate this problem after the update has been deployed, and you will need the BitLocker recovery key for each affected device.
There are a few ways to get your BitLocker recovery key:
- Under the Encryption column in your Dashboard, encrypted devices will say “Enabled.”
- Click on a Windows device with BitLocker enabled, and scroll down. The recovery key is available under “BitLocker Status.”
- See our Encryption page for more information on DriveStrike’s BitLocker integration.
If your device has BitLocker enabled through DriveStrike, contact your organization’s IT support to resolve the issue.
- Your Microsoft Account
- A printout or note you created when you first enabled BitLocker
- A USB flash drive
- The person or organization that manages your device — your employer, school, Azure AD admin, or other system administrator.
DriveStrike is a simple, effective, and affordable device management solution, providing BitLocker encryption as well as Remote Wipe, Lock, and Locate features that help you keep your devices and data safe. Please contact us if you have any questions about protecting your devices with DriveStrike. Start a free trial today to see if DriveStrike is the data protection solution your organization needs.