Windows Update Triggering BitLocker Recovery

Windows How To DriveStrike

January’s KB4535680 update (intended to patch Secure Boot DBX) is causing some devices to go into BitLocker recovery mode. Because BitLocker is often used for fleets of Windows machines, this issue can cause major frustration for system administrators.

Microsoft provides information about this update, which includes an explanation of the BitLocker issue. Microsoft writes, “If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible.” Microsoft also gives a couple workarounds for this issue, but these options are only available before deploying the update.

Read the full documentation before installing Windows update KB4535680 so you can ensure your BitLocker Group Policy and Credential Guard are configured to avoid any complications. Unfortunately, there does not seem to be a quick solution to mitigate this problem after the update has been deployed, and you will need the BitLocker recovery key for each affected device.

There are a few ways to get your BitLocker recovery key:

If you use DriveStrike to manage Windows devices and you enabled BitLocker on those machines, you can find the recovery key under the Details section of each respective device page. Simply log in to your DriveStrike account to view the encryption information for your devices.

  • Under the Encryption column in your Dashboard, encrypted devices will say  “Enabled.”
  • Click on a Windows device with BitLocker enabled, and scroll down. The recovery key is available under “BitLocker Status.”
  • See our Encryption page for more information on DriveStrike’s BitLocker integration.

If your device has BitLocker enabled through DriveStrike, contact your organization’s IT support to resolve the issue.

If you do not use DriveStrike to manage your Windows machines, see Microsoft’s guide for finding your BitLocker recovery key. It will likely be in one of the following places:

  • Your Microsoft Account
  • A printout or note you created when you first enabled BitLocker
  • A USB flash drive
  • The person or organization that manages your device — your employer, school, Azure AD admin, or other system administrator.

DriveStrike is a simple, effective, and affordable device management solution, providing BitLocker encryption as well as Remote Wipe, Lock, and Locate features that help you keep your devices and data safe. Please contact us if you have any questions about protecting your devices with DriveStrike. Start a free trial today to see if DriveStrike is the data protection solution your organization needs.

Start Your Free 30 Day Trial

Each day brings new data security challenges, so your organization needs simple and wide-reaching solutions to combat those challenges. DriveStrike is here to help you protect your most critical data with premium quality endpoint security. Start a free trial with DriveStrike today, and contact us if you need any assistance. Our team is always ready to answer your questions.