User topics

Article topics

Log in Sign up

Microsoft's Secure Boot fix sends some PCs into BitLocker Recovery

Windows users are reporting BitLocker problems after installing last week's security update for Secure Boot. The issues are related to KB5012170, which is designed to plug some Secure Boot holes. It's important for users running kit with Unified Extensible Firmware Interface (UEFI) firmware. "A security feature bypass …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Monday 15th August 2022 15:11 GMT Anonymous Coward

Grabs popcorn ...

So how will MS fix this without asking the user to do it for them (at a cost of <x> house @ <y>$/hour) ?

This is (yet) another reason to have your MS estate handled under a managed contract. Get the poor middleman to suck up the cost.

I did this last year with their printing fuckup. Took pretty much a man-day for 50 machines.

My personal approach is to stop them at "What you need to do" and reflect it back to them :

No:,. what *you* need to do .... (is fix your shit).

28 0 Reply
Monday 15th August 2022 15:27 GMT Kev99

Ah, once more mictosoft shows off its great quality control and product testing.

21 0 Reply
Monday 15th August 2022 15:38 GMT anthonyhegedus

Quality control

It’s the total lack of quality control paired with a total lack of transparency. The Microsoft page about the update doesn’t list this as a known problem but they MUST have known about it, surely? Surely…?

Why are these machines being encrypted anyway? I’ve seen several machines fail to boot with this message, and yet the user has no recollection of ever encrypting the drive. What do you do if you only have one computer and can’t log in to Microsoft to retrieve the key?

Yes, it all comes back to quality control. This is something that Microsoft has let lapse for far too long that we are accustomed to we just expect this sort of bullshit.

25 0 Reply
1. Monday 15th August 2022 16:46 GMT Jou (Mxyzptlk)
  
  Re: Quality control
  
  OEM-BIOS flags which triggers Windows-auto-bitlocker. Even when you install fresh, with a new SSD.
  
  10 0 Reply
  1. Tuesday 16th August 2022 05:25 GMT An_Old_Dog
    
    TPM
    
    ... was promised to do wonderful things for us, but its correct functioning was and is predicated on, "We promise we'll get all the principles, protocols, and implementations 100% right, this time."
    
    1 0 Reply
  2. Tuesday 16th August 2022 12:49 GMT ThatOne
    
    Re: Quality control
    
    > OEM-BIOS flags which triggers Windows-auto-bitlocker.
    
    Of which obviously you don't have the key, and if you're running "Windows Home Edition", you also don't really have any way of finding it, besides a lapidary mention to consult your "Active Directory administrator". Yeah, sure thing, for a personal PC at home... *facepalm*
    
    Fortunately for me, one of the first things I did was to trash Bitlocker (after managing to discover the obscure command line to do so in "Home" - and some people complain Linux is user-unfriendly...).
    
    _{Not that I expected it might turn on me and lock me out, I simply wanted to be able to mount the computer's NTFS partitions in Linux. It's not like there is anything worth protecting on them anyway, if somebody want's to steal the original Win11 installation folders, be my guest.}
    
    6 0 Reply
2. Monday 15th August 2022 16:57 GMT The Man Who Fell To Earth
  
  Re: Quality control
  
  Agreed. After this months Microsoft ~~Borkfest~~ Update, we have a boatload of PC's reporting error 0x80073701 when trying to install KB5016616, "2022-08 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems".
  
  6 0 Reply
Monday 15th August 2022 15:46 GMT Sudosu

Microsoft, protecting us from "untrusted" software....something something irony.

29 1 Reply
Monday 15th August 2022 15:54 GMT aerogems

So... ummmm...

If a person cannot get into their PC, how are they supposed to go to the URLs in the error screen? One shouldn't assume that everyone has a cell phone with Internet access that they could use in a pinch. Given the news coming out about a former occupant of the White House, what about people who work inside secure facilities and are expected to surrender their devices before entering?

10 2 Reply
1. Monday 15th August 2022 16:01 GMT Paul Crawford
  
  Re: So... ummmm...
  
  what about people who work inside secure facilities and are expected to surrender their devices before entering?
  
  Perhaps they should not be using Windows in the first place?
  
  To be fair, I imagine such sites have strong rules on central management of PCs so at least they just go to the IT department and get them to sort the crap out.
  
  16 1 Reply
  1. Monday 15th August 2022 17:37 GMT FBee
    
    Re: So... ummmm...
    
    Around here (international operation with 10,000 employees) a request for Domain Administrator to supply the BitLocker password results in "Your computer must be reimaged. Please supply the machine to local Image lab. Thank you!"
    
    10 0 Reply
    1. Monday 15th August 2022 17:47 GMT An_Old_Dog
      
      Re: So... ummmm...
      
      No problem! The users were keeping all their data on their network home drive! They hadn't stored anything locally, right?
      
      11 1 Reply
      1. Monday 15th August 2022 20:41 GMT Roland6
        
        Re: So... ummmm...
        
        > They hadn't stored anything locally, right?
        
        Locally: don't know about that, if G: N: S: and Z: are network drives, surely so is C:....
        
        6 0 Reply
      2. Tuesday 16th August 2022 11:43 GMT Paul Crawford
        
        Re: So... ummmm...
        
        Oh that is just part of the free "user education" service.
        
        1 1 Reply
        
        Tuesday 16th August 2022 14:15 GMT An_Old_Dog
        
        Re: So... ummmm...
        
        User Ed Manual, Definition 1: "network drives" are the ones where the data are backed up, and "local drives" are the ones where the data are borked up.
        
        2 0 Reply
2. Monday 15th August 2022 19:50 GMT Anonymous Coward
  
  Yeah, even if they have one it may not work where the machine is.
  
  For all the basement dwellers with no(possibly illegal) cell repeater installed.
  
  "Excuse me while I de-rack this 85lb 10K$ server and drag it, a monitor, mouse, keyboard, and 50" extension cords for power and data up a couple flights of stairs" because your M$/B$ patch just blew up the virtual servers our virtualized wireless controller and firewall runs on."
  
  Also, don't do that either, obviously. But the number of times if have had to deal with windows machines that required another working machine to fix is past fingers and toes at this point. They really need to invest in a version and machine independent recovery image(USB ready, as optical drives aren't to be assumed these days). The crap they have doesn't cut it.
  
  4 0 Reply
  1. Monday 15th August 2022 22:07 GMT Jou (Mxyzptlk)
    
    Re: Yeah, even if they have one it may not work where the machine is.
    
    Which is cheap, since DriveSnapshot works booted from an Windows install DVD/USB Stick. Just go to "recovery" and then the cmd prompt. Which lets you start drivesnapshot, and then you go on restore. I use that method before trying any insider build. But I recommend a USB 3.1/USB-C SSD to speed things up.
    
    0 0 Reply
    1. Tuesday 16th August 2022 20:56 GMT Norman Nescio
      
      Re: Yeah, even if they have one it may not work where the machine is.
      
      DriveSnapshot works booted from an Windows install DVD/USB Stick. Just go to "recovery" and then the cmd prompt. Which lets you start drivesnapshot, and then you go on restore.
      
      I must admit, it sounds great.
      
      I get a little wary of web pages that start with
      
      Create Disk Image Backups, While Running Windows
      
      The Backup process will back up all your data into a single file, containing all data, including system data and registry, for total security, should your computer ever crash.
      
      There is no restart (to DOS) necessary.
      
      Ever.
      (My bold and italics)
      
      And follow later with
      
      Complete Restore of a disk in case of Disaster
      
      If a disk is restored to its original state, it will be exactly the same as at the time of Backup - byte for byte.
      
      Restoring a system partition will require DOS; other drives can be restored using Windows
      
      It's a little misleadingly worded. Not everyone will appreciate the subtle distinction between system data and system partition.
      
      It almost certainly uses the Wikipedia:Shadow Copy service, which as Wikipedia points out, is not guaranteed to give you a consistent backup, although good attempts by using the 'writers' are made. I hope your applications are compliant.
      
      [Note: assuring consistency of a snapshot when multiple files / databases are open which depend on updates being consistent across the set of files/databases require cooperation between the snapshot software and the application (or applications). Unless you know your applications do this cooperation, running a snapshot can be like playing Russian roulette with your data.]
      
      0 0 Reply
      1. Tuesday 16th August 2022 22:15 GMT Jou (Mxyzptlk)
        
        Re: Yeah, even if they have one it may not work where the machine is.
        
        > Restoring a system partition will require DOS
        
        That is simply wrong translated. Not every German is good in English. Well many aren't...
        
        The actual way is to boot from a Windows 7 or higher CD, have the 64 bit version of that program ready. Then start the CMD prompt from that Windows PE, where you can start the program and go ahead and restore your system partition.
        
        Though I recommend booting from a somewhat recent Windows 10 DVD/USB Stick, newer and more drivers.
        
        One hint though: If you backed up a bitlocker partition while it is unlocked, which the system partition usually is when running, the backup will be UNENCRYPTED. Which is, from my point of view, actually more good than bad. You can always backup to an encrypted USB drive.
        
        As for the snapshot consistency: You are indeed right, not all applications do support it. Just only through the backdoor of "NTFS-consistency".
        
        1 0 Reply
3. Tuesday 16th August 2022 05:29 GMT An_Old_Dog
  
  Re: So... ummmm...
  
  I've frequently said, "These days, you need a working computer to help you fix a broken computer."
  
  2 0 Reply
Monday 15th August 2022 16:23 GMT Doctor Syntax

So much for trusted computing.

11 0 Reply
Monday 15th August 2022 16:45 GMT Jou (Mxyzptlk)

So they broke it knowingly...

Instead of a big warning as wallpaper or as annoying message at every boot for the next few month they decided to nuke the old UEFIs by putting them on the "deny" list. Which is funny, 'cause updating UEFI often requires bitlocker to be deactivated. I mean completely, not just temporary as it is possible since about 2019, no: boot drive unencrypted. Only to encrypt it again after the updates. Which gets better since, in quite some constellations, bitlocker is activated automatically without anyone knowing (OEM-BIOS setting, HP loves it for example).

11 0 Reply
Monday 15th August 2022 16:46 GMT Bitsminer

Bitlocker

How very well named indeed.

10 1 Reply
Monday 15th August 2022 17:47 GMT Pascal Monett

"he was able to log into Azure and retrieve the recovery keys"

Thank God for personal computers, eh ?

This is the risk when you tie yourself hands and feet to a third party that has decided for itself that your hardware belongs to them.

And then they throw out the QA department and now we're here.

Honestly, if Linux on the desktop is going to happen, it'll be because of Borkzilla.

17 1 Reply
1. Monday 15th August 2022 18:18 GMT Jou (Mxyzptlk)
  
  Re: "he was able to log into Azure and retrieve the recovery keys"
  
  Oh, if Linux would be the dominating desktop it won't be better. Different, but not better.
  
  7 8 Reply
  1. Monday 15th August 2022 18:22 GMT Ken Hagan
    
    Re: "he was able to log into Azure and retrieve the recovery keys"
    
    What if there was no dominating desktop and an OS had to be Not Shit to retain market share?
    
    10 0 Reply
    1. Monday 15th August 2022 18:54 GMT Jou (Mxyzptlk)
      
      Re: "he was able to log into Azure and retrieve the recovery keys"
      
      That would be close to NASA requirements. But there would be a side effect: The users would have to learn how to use computers. And there would be big manuals. Like the one for MS-DOS 5.0, over 700 pages, which is very small.
      
      3 0 Reply
      1. Tuesday 16th August 2022 12:26 GMT ChrisC
        
        Re: "he was able to log into Azure and retrieve the recovery keys"
        
        Sounds like my idea of computing heaven, where do I sign up?
        
        1 0 Reply
  2. Monday 15th August 2022 19:53 GMT Anonymous Coward
    
    Re: "he was able to log into Azure and retrieve the recovery keys"
    
    Different and slightly worse if your distro uses systemd.
    
    6 2 Reply
2. Monday 15th August 2022 19:13 GMT druck
  
  Re: "he was able to log into Azure and retrieve the recovery keys"
  
  At my last company to Windows, I had to call IT at least every 2 months to get they key for the Bitlocker recovery screen. With a Linux only policy ever since, not a single problem with LUKS, and I've resized various partitions on the encrypted disc twice.
  
  7 0 Reply
Monday 15th August 2022 21:17 GMT Jan K.

"A security feature bypass vulnerability exists in secure boot,"

Again??

2 0 Reply
Monday 15th August 2022 23:04 GMT ecofeco

Bitlocker?

People still use this shite?

1 0 Reply
1. Monday 15th August 2022 23:20 GMT Jou (Mxyzptlk)
  
  Re: Bitlocker?
  
  Of course! Following combination can Windows do on-board, even with clicky-clicky:
  
  Snapshots, Encryption, Mirror/stripe (Storage Space please, not the old dynamic sh*t), deduplication if server - since about 2011. All in one. And still be compatible with your applications. Though not all features are recommended for all usage scenarios, obviously.
  
  Yes, Linux can do it too, in way too many ways, and not that ultra-clicky-simple. And there is no "recommended way" since they are all discussing which is the best. (Though VDO looks interesting to me)
  
  0 5 Reply
  1. Tuesday 16th August 2022 13:26 GMT ThatOne
    
    Re: Bitlocker?
    
    > Following combination can Windows do on-board, even with clicky-clicky
    
    Sorry, either this was removed in Win11, or it is a paying option not available for the plebs using "Home Edition". To unencrypt my system partition on "Win11 Home" I had to search the Internet for a badly documented command line procedure giving voluntarily cryptic answers.
    
    ^{To a point I had to boot Linux to see if the drive was still encrypted, Windows refusing to clearly tell me so. What would it cost to add a simple line like "Encrypted/Unencrypted" in "Properties"? Way too user friendly I guess, clearly only PowerShell wizards should be able to use a home computer with "Windows Home"...}
    
    And before anybody protests, yes, I found online lots of descriptions of supposed BitLocker menus and GUI settings, except they did not exist in my "Win11 Home" OEM installation of a brand new laptop. The only GUI mention of BitLocker I found was in the hidden Control Panel #2, but even that was empty (=white page) with just a link pointing to a menu which had clearly been removed since (=dead link).
    
    User-friendly, my ***!
    
    _{(Didn't downvote you though.)}
    
    4 0 Reply
    1. Tuesday 16th August 2022 14:15 GMT Jou (Mxyzptlk)
      
      Re: Bitlocker?
      
      > "Win11 Home"
      
      There is no home edition. Therefore I don't need to support it for anyone.
      
      0 0 Reply
      1. Wednesday 17th August 2022 13:41 GMT ThatOne
        
        Re: Bitlocker?
        
        > There is no home edition. Therefore I don't need to support it for anyone.
        
        ???
        
        What the heck are you trying to say? Of course there is a "Home" edition.
        
        ^{(Dell wanted me to pay a little more for the "Pro" one, but since I don't intend to use it, I stayed with "Home".)}
        
        I am also aware that "Home" isn't supposed to have BitLocker, but on the other hand it is supposed to have "device encryption", whatever the difference might be, all I know is my laptop came with a fully encrypted HD, which I had to unencrypt manually, using PowerShell.
        
        Clearly "no BitLocker" just means "we've taken out all GUI menu entries to manage it, well, it sucks to be you".
        
        0 0 Reply
        
        Wednesday 17th August 2022 13:45 GMT Jou (Mxyzptlk)
        
        Re: Bitlocker?
        
        You had a bad day not seeing the irony. I wish tomorrow will be better for you!
        
        0 0 Reply
Tuesday 16th August 2022 03:10 GMT Mayday

Can't boot at all?

Guess it's pretty secure then.

8 0 Reply
Tuesday 16th August 2022 10:38 GMT Mark-L

Forever more to be known as Bitlockout

So my personal Windows 11 laptop has fallen for this :-(

Asked to install update and reboot and bang it's locked.

Odd thing is I never knowingly enabled Bitlocker and I don't have a key to unlock it. M$ online help suggests getting the key back from "your microsoft account", and whilst I do have one to purchase things from M$) I don't use it to log in to my computers (they all have local accounts). So the bitlock key is not there.

I have all my data backed up, but reformatting, reinstalling Windows and my apps + getting everything back to the way it was will take a day which is a day of my life I would rather not have spent working for M$.

I will be watching like a hawk to see if the new install enables Bitlocker by default.

Mark

2 0 Reply
1. Tuesday 16th August 2022 13:36 GMT ThatOne
  
  Re: Forever more to be known as Bitlockout
  
  My sympathy. My Win11 laptop also came secretly encrypted, I only noticed it when Linux wasn't able to mount the NTFS partitions. So I wasted a day searching how to get rid of BitLocker (see my posts above) (although it seems I would had wasted a day anyway, one way or another).
  
  I really would like to meet the genius who thought that factory-encrypting computers with random unknown keys was a good idea!
  
  _{(BTW, if it reencrypts, the only way to undo this I found is to start an admin PowerShell window (right click on Start), enter Disable-BitLocker -MountPoint "C:" and run it. Replace "C:" with any other drive letter you want to unencrypt.)}
  
  4 0 Reply
Tuesday 16th August 2022 22:23 GMT J. Cook

Well, to play devil's advocate here for a moment...

... Microsoft generally does advise people to disable Bitlocker before installing updates.

HOWEVER, the fact that it doesn't automatically do this is unforgivable, nor is providing any evidence to people that their drives are encrypted using it , and/or providing a means for people to easily back up the recovery to a bootable drive.

At [RedactedCo], we set up a handful of machines with Bitlocker for various reasons; when we configured it, we also configured a group policy (because these were domain joined machines) that stored the recovery key in AD for that computer account.

We also had a batch of laptops that used a thumb drive (amusingly shaped like a key!) that held the bitlocker key as a sort of second factor for booting or resuming those machines.

We since gone to using the TPM for the bitlocker key, but still have the recovery keys stored in AD. Just in case.

0 0 Reply
1. Tuesday 16th August 2022 22:37 GMT Jou (Mxyzptlk)
  
  Re: Well, to play devil's advocate here for a moment...
  
  > HOWEVER, the fact that it doesn't automatically do this is unforgivable
  
  Hold here... It DOES do that for UPGRADES, if not forbidden by a GPO. If needed, it goes to the control panel for you, and sets the "auto-unlock for one reboot" flag, which it then uses during the upgrade (where the several reboots during the upgrade counts somewhat as one).
  
  Once the upgrade is done and windows booted up successfully it removes that flag and works normally again. This is actually regarded as a security issue in some circles. But exposing it required a booted up windows, unlocked and administrator rights.
  
  > recovery key in AD
  
  This is currently moved backward, setting the GPO to NOT store the recovery key, blocking that activly. DSGVO is part of the reason. But rough administrators too. And when laptops are stolen by administrators, which can mass-export the recovery keys from the AD, you know it is better to lose whatever data on the laptop than having a chance of someone being able to decrypt it.
  
  1 0 Reply
Wednesday 17th August 2022 14:42 GMT kailalitman08

Replacement

You are right most people don’t have a recovery key and this just happened to my computer today. I hope Windows fixes it or gives out a recall so we can get a replacement computer/device. I have been trying to bypass it but it doesn’t work.

0 0 Reply
1. Wednesday 24th August 2022 18:38 GMT Bitlocker_Victum
  
  Re: Replacement
  
  Had the same problem, my microsoft account tells me it has no bitlocker recovery keys uploaded.
  
  Tried to do a fresh install of windows but that didn't work either as the windows installation usb stick does not recognise my harddisk. I only have this laptop 2 months now and it is already unworkable.
  
  I can open a command prompt as administartor though, does anybody know how I can remove that patch and fix my laptop?
  
  0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Other stories you might like

Want to keep Windows 10 secure? This is how much Microsoft will charge you

Updated Hint: It will keep going up

OSes 3 Apr 2024 | 106

Microsoft gets new Windows boss as Start Menu man Parakhin 'to explore new roles'

More MS moves just a week after new AI unit and other changes announced

OSes 26 Mar 2024 | 62

German state ditches Windows, Microsoft Office for Linux and LibreOffice

'Complete digital sovereignty' ... sounds familiar

Software 4 Apr 2024 | 184

How a single buck bought bragging rights in the battle to port Windows 95 to NT

It reached the desktop and then ...

Offbeat 28 Mar 2024 | 137

Windows Format dialog waited decades for UI revamp that never came

'Temporary' isn't always

OSes 27 Mar 2024 | 64

Microsoft confirms memory leak in March Windows Server security update

Infosec in brief ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

Security 25 Mar 2024 | 11

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

CISA calls for 'fundamental, security-focused reforms' to happen ASAP, delaying work on other software

Security 3 Apr 2024 | 37

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

Analysis In what other sphere does a bad supplier not feel pain for its foulups?

Cyber-crime 5 Apr 2024 | 20

Microsoft gives Hyper-V ceilings a Herculean hike

Windows Server 2025 will let you run a VM with 2,048 vCPUs, 240 TB RAM, and 68 network adapters

Virtualization 12 Apr 2024 | 45

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Patch Tuesday Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Security 10 Apr 2024 | 21

Microsoft breach allowed Russian spies to steal emails from US government

Affected federal agencies must comb through mails, reset API keys and passwords

Cyber-crime 12 Apr 2024 | 15

Microsoft unbundling Teams is to appease regulators, not give customers a better deal

Think before you pull the trigger, warn analysts

SaaS 4 Apr 2024 | 54

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024