back to article Microsoft's Secure Boot fix sends some PCs into BitLocker Recovery

Windows users are reporting BitLocker problems after installing last week's security update for Secure Boot. The issues are related to KB5012170, which is designed to plug some Secure Boot holes. It's important for users running kit with Unified Extensible Firmware Interface (UEFI) firmware. "A security feature bypass …

  1. Anonymous Coward
    Anonymous Coward

    Grabs popcorn ...

    So how will MS fix this without asking the user to do it for them (at a cost of <x> house @ <y>$/hour) ?

    This is (yet) another reason to have your MS estate handled under a managed contract. Get the poor middleman to suck up the cost.

    I did this last year with their printing fuckup. Took pretty much a man-day for 50 machines.

    My personal approach is to stop them at "What you need to do" and reflect it back to them :

    No:,. what *you* need to do .... (is fix your shit).

  2. Kev99 Silver badge

    Ah, once more mictosoft shows off its great quality control and product testing.

  3. anthonyhegedus Silver badge

    Quality control

    It’s the total lack of quality control paired with a total lack of transparency. The Microsoft page about the update doesn’t list this as a known problem but they MUST have known about it, surely? Surely…?

    Why are these machines being encrypted anyway? I’ve seen several machines fail to boot with this message, and yet the user has no recollection of ever encrypting the drive. What do you do if you only have one computer and can’t log in to Microsoft to retrieve the key?

    Yes, it all comes back to quality control. This is something that Microsoft has let lapse for far too long that we are accustomed to we just expect this sort of bullshit.

    1. Jou (Mxyzptlk) Silver badge

      Re: Quality control

      OEM-BIOS flags which triggers Windows-auto-bitlocker. Even when you install fresh, with a new SSD.

      1. An_Old_Dog Silver badge
        Holmes

        TPM

        ... was promised to do wonderful things for us, but its correct functioning was and is predicated on, "We promise we'll get all the principles, protocols, and implementations 100% right, this time."

      2. ThatOne Silver badge
        Facepalm

        Re: Quality control

        > OEM-BIOS flags which triggers Windows-auto-bitlocker.

        Of which obviously you don't have the key, and if you're running "Windows Home Edition", you also don't really have any way of finding it, besides a lapidary mention to consult your "Active Directory administrator". Yeah, sure thing, for a personal PC at home... *facepalm*

        Fortunately for me, one of the first things I did was to trash Bitlocker (after managing to discover the obscure command line to do so in "Home" - and some people complain Linux is user-unfriendly...).

        Not that I expected it might turn on me and lock me out, I simply wanted to be able to mount the computer's NTFS partitions in Linux. It's not like there is anything worth protecting on them anyway, if somebody want's to steal the original Win11 installation folders, be my guest.

    2. The Man Who Fell To Earth Silver badge
      FAIL

      Re: Quality control

      Agreed. After this months Microsoft Borkfest Update, we have a boatload of PC's reporting error 0x80073701 when trying to install KB5016616, "2022-08 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems".

  4. Sudosu

    Microsoft, protecting us from "untrusted" software....something something irony.

  5. aerogems Silver badge

    So... ummmm...

    If a person cannot get into their PC, how are they supposed to go to the URLs in the error screen? One shouldn't assume that everyone has a cell phone with Internet access that they could use in a pinch. Given the news coming out about a former occupant of the White House, what about people who work inside secure facilities and are expected to surrender their devices before entering?

    1. Paul Crawford Silver badge

      Re: So... ummmm...

      what about people who work inside secure facilities and are expected to surrender their devices before entering?

      Perhaps they should not be using Windows in the first place?

      To be fair, I imagine such sites have strong rules on central management of PCs so at least they just go to the IT department and get them to sort the crap out.

      1. FBee

        Re: So... ummmm...

        Around here (international operation with 10,000 employees) a request for Domain Administrator to supply the BitLocker password results in "Your computer must be reimaged. Please supply the machine to local Image lab. Thank you!"

        1. An_Old_Dog Silver badge

          Re: So... ummmm...

          No problem! The users were keeping all their data on their network home drive! They hadn't stored anything locally, right?

          1. Roland6 Silver badge
            Joke

            Re: So... ummmm...

            > They hadn't stored anything locally, right?

            Locally: don't know about that, if G: N: S: and Z: are network drives, surely so is C:....

          2. Paul Crawford Silver badge
            Trollface

            Re: So... ummmm...

            Oh that is just part of the free "user education" service.

            1. An_Old_Dog Silver badge
              Headmaster

              Re: So... ummmm...

              User Ed Manual, Definition 1: "network drives" are the ones where the data are backed up, and "local drives" are the ones where the data are borked up.

    2. Anonymous Coward
      Anonymous Coward

      Yeah, even if they have one it may not work where the machine is.

      For all the basement dwellers with no(possibly illegal) cell repeater installed.

      "Excuse me while I de-rack this 85lb 10K$ server and drag it, a monitor, mouse, keyboard, and 50" extension cords for power and data up a couple flights of stairs" because your M$/B$ patch just blew up the virtual servers our virtualized wireless controller and firewall runs on."

      Also, don't do that either, obviously. But the number of times if have had to deal with windows machines that required another working machine to fix is past fingers and toes at this point. They really need to invest in a version and machine independent recovery image(USB ready, as optical drives aren't to be assumed these days). The crap they have doesn't cut it.

      1. Jou (Mxyzptlk) Silver badge

        Re: Yeah, even if they have one it may not work where the machine is.

        Which is cheap, since DriveSnapshot works booted from an Windows install DVD/USB Stick. Just go to "recovery" and then the cmd prompt. Which lets you start drivesnapshot, and then you go on restore. I use that method before trying any insider build. But I recommend a USB 3.1/USB-C SSD to speed things up.

        1. Norman Nescio Silver badge

          Re: Yeah, even if they have one it may not work where the machine is.

          DriveSnapshot works booted from an Windows install DVD/USB Stick. Just go to "recovery" and then the cmd prompt. Which lets you start drivesnapshot, and then you go on restore.

          I must admit, it sounds great.

          I get a little wary of web pages that start with

          Create Disk Image Backups, While Running Windows

          The Backup process will back up all your data into a single file, containing all data, including system data and registry, for total security, should your computer ever crash.

          There is no restart (to DOS) necessary.

          Ever.

          (My bold and italics)

          And follow later with

          Complete Restore of a disk in case of Disaster

          If a disk is restored to its original state, it will be exactly the same as at the time of Backup - byte for byte.

          Restoring a system partition will require DOS; other drives can be restored using Windows

          It's a little misleadingly worded. Not everyone will appreciate the subtle distinction between system data and system partition.

          It almost certainly uses the Wikipedia:Shadow Copy service, which as Wikipedia points out, is not guaranteed to give you a consistent backup, although good attempts by using the 'writers' are made. I hope your applications are compliant.

          [Note: assuring consistency of a snapshot when multiple files / databases are open which depend on updates being consistent across the set of files/databases require cooperation between the snapshot software and the application (or applications). Unless you know your applications do this cooperation, running a snapshot can be like playing Russian roulette with your data.]

          1. Jou (Mxyzptlk) Silver badge

            Re: Yeah, even if they have one it may not work where the machine is.

            > Restoring a system partition will require DOS

            That is simply wrong translated. Not every German is good in English. Well many aren't...

            The actual way is to boot from a Windows 7 or higher CD, have the 64 bit version of that program ready. Then start the CMD prompt from that Windows PE, where you can start the program and go ahead and restore your system partition.

            Though I recommend booting from a somewhat recent Windows 10 DVD/USB Stick, newer and more drivers.

            One hint though: If you backed up a bitlocker partition while it is unlocked, which the system partition usually is when running, the backup will be UNENCRYPTED. Which is, from my point of view, actually more good than bad. You can always backup to an encrypted USB drive.

            As for the snapshot consistency: You are indeed right, not all applications do support it. Just only through the backdoor of "NTFS-consistency".

    3. An_Old_Dog Silver badge

      Re: So... ummmm...

      I've frequently said, "These days, you need a working computer to help you fix a broken computer."

  6. Doctor Syntax Silver badge

    So much for trusted computing.

  7. Jou (Mxyzptlk) Silver badge

    So they broke it knowingly...

    Instead of a big warning as wallpaper or as annoying message at every boot for the next few month they decided to nuke the old UEFIs by putting them on the "deny" list. Which is funny, 'cause updating UEFI often requires bitlocker to be deactivated. I mean completely, not just temporary as it is possible since about 2019, no: boot drive unencrypted. Only to encrypt it again after the updates. Which gets better since, in quite some constellations, bitlocker is activated automatically without anyone knowing (OEM-BIOS setting, HP loves it for example).

  8. Bitsminer Silver badge

    Bitlocker

    How very well named indeed.

  9. Pascal Monett Silver badge

    "he was able to log into Azure and retrieve the recovery keys"

    Thank God for personal computers, eh ?

    This is the risk when you tie yourself hands and feet to a third party that has decided for itself that your hardware belongs to them.

    And then they throw out the QA department and now we're here.

    Honestly, if Linux on the desktop is going to happen, it'll be because of Borkzilla.

    1. Jou (Mxyzptlk) Silver badge

      Re: "he was able to log into Azure and retrieve the recovery keys"

      Oh, if Linux would be the dominating desktop it won't be better. Different, but not better.

      1. Ken Hagan Gold badge

        Re: "he was able to log into Azure and retrieve the recovery keys"

        What if there was no dominating desktop and an OS had to be Not Shit to retain market share?

        1. Jou (Mxyzptlk) Silver badge

          Re: "he was able to log into Azure and retrieve the recovery keys"

          That would be close to NASA requirements. But there would be a side effect: The users would have to learn how to use computers. And there would be big manuals. Like the one for MS-DOS 5.0, over 700 pages, which is very small.

          1. ChrisC Silver badge

            Re: "he was able to log into Azure and retrieve the recovery keys"

            Sounds like my idea of computing heaven, where do I sign up?

      2. Anonymous Coward
        Anonymous Coward

        Re: "he was able to log into Azure and retrieve the recovery keys"

        Different and slightly worse if your distro uses systemd.

    2. druck Silver badge

      Re: "he was able to log into Azure and retrieve the recovery keys"

      At my last company to Windows, I had to call IT at least every 2 months to get they key for the Bitlocker recovery screen. With a Linux only policy ever since, not a single problem with LUKS, and I've resized various partitions on the encrypted disc twice.

  10. Jan K. Bronze badge

    "A security feature bypass vulnerability exists in secure boot,"

    Again??

  11. ecofeco Silver badge

    Bitlocker?

    People still use this shite?

    1. Jou (Mxyzptlk) Silver badge

      Re: Bitlocker?

      Of course! Following combination can Windows do on-board, even with clicky-clicky:

      Snapshots, Encryption, Mirror/stripe (Storage Space please, not the old dynamic sh*t), deduplication if server - since about 2011. All in one. And still be compatible with your applications. Though not all features are recommended for all usage scenarios, obviously.

      Yes, Linux can do it too, in way too many ways, and not that ultra-clicky-simple. And there is no "recommended way" since they are all discussing which is the best. (Though VDO looks interesting to me)

      1. ThatOne Silver badge
        Flame

        Re: Bitlocker?

        > Following combination can Windows do on-board, even with clicky-clicky

        Sorry, either this was removed in Win11, or it is a paying option not available for the plebs using "Home Edition". To unencrypt my system partition on "Win11 Home" I had to search the Internet for a badly documented command line procedure giving voluntarily cryptic answers.

        To a point I had to boot Linux to see if the drive was still encrypted, Windows refusing to clearly tell me so. What would it cost to add a simple line like "Encrypted/Unencrypted" in "Properties"? Way too user friendly I guess, clearly only PowerShell wizards should be able to use a home computer with "Windows Home"...

        And before anybody protests, yes, I found online lots of descriptions of supposed BitLocker menus and GUI settings, except they did not exist in my "Win11 Home" OEM installation of a brand new laptop. The only GUI mention of BitLocker I found was in the hidden Control Panel #2, but even that was empty (=white page) with just a link pointing to a menu which had clearly been removed since (=dead link).

        User-friendly, my ***!

        (Didn't downvote you though.)

        1. Jou (Mxyzptlk) Silver badge

          Re: Bitlocker?

          > "Win11 Home"

          There is no home edition. Therefore I don't need to support it for anyone.

          1. ThatOne Silver badge
            WTF?

            Re: Bitlocker?

            > There is no home edition. Therefore I don't need to support it for anyone.

            ???

            What the heck are you trying to say? Of course there is a "Home" edition.

            (Dell wanted me to pay a little more for the "Pro" one, but since I don't intend to use it, I stayed with "Home".)

            I am also aware that "Home" isn't supposed to have BitLocker, but on the other hand it is supposed to have "device encryption", whatever the difference might be, all I know is my laptop came with a fully encrypted HD, which I had to unencrypt manually, using PowerShell.

            Clearly "no BitLocker" just means "we've taken out all GUI menu entries to manage it, well, it sucks to be you".

            1. Jou (Mxyzptlk) Silver badge

              Re: Bitlocker?

              You had a bad day not seeing the irony. I wish tomorrow will be better for you!

  12. Mayday Silver badge
    Coat

    Can't boot at all?

    Guess it's pretty secure then.

  13. Mark-L

    Forever more to be known as Bitlockout

    So my personal Windows 11 laptop has fallen for this :-(

    Asked to install update and reboot and bang it's locked.

    Odd thing is I never knowingly enabled Bitlocker and I don't have a key to unlock it. M$ online help suggests getting the key back from "your microsoft account", and whilst I do have one to purchase things from M$) I don't use it to log in to my computers (they all have local accounts). So the bitlock key is not there.

    I have all my data backed up, but reformatting, reinstalling Windows and my apps + getting everything back to the way it was will take a day which is a day of my life I would rather not have spent working for M$.

    I will be watching like a hawk to see if the new install enables Bitlocker by default.

    Mark

    1. ThatOne Silver badge

      Re: Forever more to be known as Bitlockout

      My sympathy. My Win11 laptop also came secretly encrypted, I only noticed it when Linux wasn't able to mount the NTFS partitions. So I wasted a day searching how to get rid of BitLocker (see my posts above) (although it seems I would had wasted a day anyway, one way or another).

      I really would like to meet the genius who thought that factory-encrypting computers with random unknown keys was a good idea!

      (BTW, if it reencrypts, the only way to undo this I found is to start an admin PowerShell window (right click on Start), enter Disable-BitLocker -MountPoint "C:" and run it. Replace "C:" with any other drive letter you want to unencrypt.)

  14. J. Cook Silver badge
    Devil

    Well, to play devil's advocate here for a moment...

    ... Microsoft generally does advise people to disable Bitlocker before installing updates.

    HOWEVER, the fact that it doesn't automatically do this is unforgivable, nor is providing any evidence to people that their drives are encrypted using it , and/or providing a means for people to easily back up the recovery to a bootable drive.

    At [RedactedCo], we set up a handful of machines with Bitlocker for various reasons; when we configured it, we also configured a group policy (because these were domain joined machines) that stored the recovery key in AD for that computer account.

    We also had a batch of laptops that used a thumb drive (amusingly shaped like a key!) that held the bitlocker key as a sort of second factor for booting or resuming those machines.

    We since gone to using the TPM for the bitlocker key, but still have the recovery keys stored in AD. Just in case.

    1. Jou (Mxyzptlk) Silver badge

      Re: Well, to play devil's advocate here for a moment...

      > HOWEVER, the fact that it doesn't automatically do this is unforgivable

      Hold here... It DOES do that for UPGRADES, if not forbidden by a GPO. If needed, it goes to the control panel for you, and sets the "auto-unlock for one reboot" flag, which it then uses during the upgrade (where the several reboots during the upgrade counts somewhat as one).

      Once the upgrade is done and windows booted up successfully it removes that flag and works normally again. This is actually regarded as a security issue in some circles. But exposing it required a booted up windows, unlocked and administrator rights.

      > recovery key in AD

      This is currently moved backward, setting the GPO to NOT store the recovery key, blocking that activly. DSGVO is part of the reason. But rough administrators too. And when laptops are stolen by administrators, which can mass-export the recovery keys from the AD, you know it is better to lose whatever data on the laptop than having a chance of someone being able to decrypt it.

  15. kailalitman08

    Replacement

    You are right most people don’t have a recovery key and this just happened to my computer today. I hope Windows fixes it or gives out a recall so we can get a replacement computer/device. I have been trying to bypass it but it doesn’t work.

    1. Bitlocker_Victum

      Re: Replacement

      Had the same problem, my microsoft account tells me it has no bitlocker recovery keys uploaded.

      Tried to do a fresh install of windows but that didn't work either as the windows installation usb stick does not recognise my harddisk. I only have this laptop 2 months now and it is already unworkable.

      I can open a command prompt as administartor though, does anybody know how I can remove that patch and fix my laptop?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like