Bitlocker activated during update last night

Topic

New Reply

Dell XPS13, 8th Gen i7, 16 GB DRAM

Win 10 Pro

Last night my wife’s computer had downloaded the latest Windows update. She clicked on “Update and Shutdown”

This morning when she booted up her computer, a blue screen popped up asking for a Bitlocker Key to continue. She had never activated Bitlocker on her computer.  It would appear that Bitlocker was activated during the latest update.

She said that she had been seeing occasional pop-ups asking for a password. She had ignored them. She does not remember exacting  what they said.

Has anyone else experienced Bitlocker self activating after the recent update?

If Microsoft is activating Bitlocker during updates, they will have some very unhappy people.

Thanks,

Reply | Quote

Replies

Bugwart wrote:

She had never activated Bitlocker on her computer

This is a well known problem.

https://www.dell.com/community/Windows-10/BitLocker-need-a-key-but-I-never-installed-it/td-p/6019486

Some PCs came with Bitlocker enabled. If it is on, turn off.

Check Bitlocker settings.

Reply | Quote

If she has a Microsoft account the bitlocker account is probably hooked into the profile up there.

Surface devices have done this to me several times.  Gives you a heart attack and then you scramble to figure out where that password is.  Hopefully she has a Microsoft account and it’s hooked up there otherwise, how’s your backup situation?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thanks, Susan,

I set up her  computer, so I had the password for her account. I finally got the key entered (correctly) and copied the recovery key.

I will turn it off. It is funny that a 2 year old computer would suddenly encrypt the drive.

Thank you!

Reply | Quote

https://account.microsoft.com/devices/recoverykey?refd=support.microsoft.com

Log in there, fingers crossed it’s up there.

Bottom line windows update doesn’t trigger bitlocker, but it can trigger the password.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

doriel, GoneToPlaid

Reply | Quote

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

under “Applying firmware updates to devices” says

“Suspend BitLocker (required for devices bound to PCR[07] only if the firmware update changes the Secure Boot policy)”

Would be interesting to see is WU is releasing a BIOS update (which definitely happens – seen it) to fix any of CVE-2021-21551,CVE-2021-21571,CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574..and they haven’t remembered that it needs suspending.

Strange thing is when it does I have seen the given release isn’t always the latest so I guess the other possibility is Dell’s update process hooked the latest update, and Windows update decided not to suspend bitlocker as it queued an older version not changing the policy in the windows update queue..

Unfortunately this hole is deep – there’s no way to access the drive to resolve whatever is placing it in recovery mode BUT I would guess the relevant BIOS setting might have toggled so if you have never been in the BIOS settings maybe use F2 to access the bios settings, locate and use the load optimised defaults option, then save and exit.. it might get you in.. as if the setting is not set you always get the bitlocker prompt which you need if you need to be using a boot time PIN on a machine with the setting. Could also be informative to see what version the BIOS is while you’re in there as the problem could also be brought on by a flaky Windows drive.

 

Reply | Quote

I have changed registry entries in the past. I will search for the  load optimised defaults option.

Thanks

Reply | Quote

I believe @oldguy was referring to a setting within the machine’s BIOS, wherein you have a choice to load the BIOS’ optimized default settings for the motherboard of the computer. As he says in his post above your reply,

…maybe use F2 to access the bios settings…

to get to your BIOS, you usually have to repeatedly press the F2 key immediately when the Dell logo is displayed on the screen while the machine is booting to get into the BIOS.

If the F2 key doesn’t work, reboot the computer and see which key is mentioned on the screen with the Dell logo on it, such as F1, F12, or even the Delete key (which might be mentioned as the “Del” key).

I hope this helps, so that you don’t unnecessarily spend time in the registry looking for a setting that isn’t there. After all, the registry is a big, big place and a lousy place to get lost mistakenly.  😉

 

Reply | Quote

Windows updates haven’t had bios updates in them.  This is one of those “weird stuff of patching that just happens” TM that you just have to be ready for if you do bitlocker.  The issue occurs when – as in the case of Dell – that the machine auto enrolls you it and you don’t realize that you have bitlocker.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Bugwart wrote:

funny that a 2 year old computer would suddenly encrypt the drive.

It has always been encrypted, you didn’t know because you didn’t check.

Why should you need to check that BL has been enabled without you asking? Windows should tell you before it does anything that may require the recovery key.

cheers, Paul

Reply | Quote

Paul,

I agree that MS should inform before making a major change. This did not happen in the case of my wife’s computer.

Reply | Quote

Apparently, some Dell systems can be encrypted with BitLocker without the users knowledge or explicit command to do so.  Refer to https://www.dell.com/support/kbdoc/en-us/000124701/automatic-windows-device-encryption-bitlocker-on-dell-systems

I set my new Dell System up with a Local Account and have never used a Microsoft Account on the system so this automatic encryption shouldn’t be a problem.  But, you never know….

Saying  I was absolutely astonished to read this is a huge understatement!

Reply | Quote

Just had a thought. On some newer Dell, the BIOS image is saved in a folder on the UEFI boot partition and isn’t cleaned up until the OS boots to desktop. Note by posting this I’m NOT diagnosing it as a BIOS issue but as I understand just how deep the hole you are in is, so any way you can potentially claw your way out, however unlikely, might help..

Should you be extremely lucky, the “recovery” method which might allow you to go back to a BIOS which interacts correctly should you determine an update was the cause. On the one I tried the method was is to press F6 at boot which produced a very basic interface to select the roll back BIOS which I seem to recall was in .\efi\dell or .\boot\dell (basically it was in a Dell folder there somewhere on the first partition!). I tried it in a similar situation, but never used the recovery as the procedure basically proved it wasn’t a BIOS update as the file was very old; it was a flaky SSD which I had to hammer to get a diagnostic code for repair. Again, time to go to dell support with your service tag and get the manual, it might help as the key might not be F6:

https://www.dell.com/support/kbdoc/en-uk/000132453/how-to-recover-the-bios-on-a-dell-computer-or-tablet

Here’s the MS Stuff on it. Wonders what could happen for those who turn on their TPM so they can have Windows 11. Anyone found their drive unexpectedly bitlockered when setup finishes? (the sign in is done by TPM; you don’t get a prompt unless that process (or Windows) fails)

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

 

1 user thanked author for this post.

EricB

Reply | Quote

oldguy wrote:

one I tried the method was is to press F6 at boot

According to the Dell site you linked it’s Ctrl Esc, not F6.
And the BIOS recovery file is not deleted (on my Dell it’s still in EFI\dell\bios\recovery).

cheers, Paul

Reply | Quote

Same here, also a Dell notebook. Suddenly, there was an exclamation mark on drive C:. That looks like a Bitlocker action. But – this notebook has Windows 10 Home installed. And as far as I know, the Home version doesn’t ‘do’ Bitlocker. No Bitlocker in the ‘old’ configuration screen. When I type Bitlocker in the search bar, it does show up, but I can’t do anything with it. There no way to either activate or disable it.

Luckily, there’s an option in the new configuration app, Updates and security > Device encryption. Once disabled, the exclamation mark disappears.

Reply | Quote

Hmm last post didn’t get through.. this is just for info; I missed that the problem was solved and things had moved on. Apologies..

In the OEM situation a BIOS technology (HSTI) is used to check the security of the boot environment and relay that information to Windows. If the SMM option is enabled in the BIOS, then Windows applies a suitable security policy propagated from that information pool (or if the OS doesn’t support the policy as it’s a “home” version, fails in the attempt). The policy is detected by Windows setup and the actions (such as enabling bitlocker) are put into effect following the Windows “out of box” stage of setup using credentials from the SMM process, rather then the user.

If you deselect SMM and reinstall Windows then you have to set BIOS password, remove boot options (including network) and make various other changes or the malicious user could simply power off the machine at the login prompt (leaving the hard disk in a state where Windows file tampering is plausible as various files were in use and thus are in the decrypted state) and access the drive from a boot device using an OS not operating bitlocker in order to effect malicious activity with various tools…

Reinstalling Windows is the only way I know of to remove the policy – we were deploying W10 1903 LTSC and found a non encrypted GPT disk image placed on the drive still encrypts automatically if you don’t change the setting, and the Windows policies concerned cite insufficient privileges if you try to change them. The recovery image (usually on the last partition) is needless to say not encrypted – you can just format the Windows drive and extract the image to the clean partition from a recovery disk if Dell recovery is broken.

HSTI:

https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification

SMM on Dell business systems:

https://www.dell.com/support/kbdoc/en-uk/000125922/dell-recommended-policies-for-dell-encryption-enterprise-bitlocker-manager-dell-data-protection-bitlocker-manager

So not a mystery (I believe it’s been a thing since Windows 8 in some form. If you can find the old WHQL draft specs for that OS you might even find it in there?) but it is something to be aware of..

 

 

Reply | Quote

We managed to get the “key” and it appears to work then we just get a blank screen. This is a touch screen laptop ….Now what could be wrong and what should we try next?

 

We found this on another web page…won’t that wipe out my drive?/

* Restart the system
* At the Dell Logo keep tapping F2
* You will enter the BIOS screen
* Go to Secure Boot header, expand and select Expert Key Management
* Click the Restore Settings button
* Select Factory Settings
* Press OK
* Exit the BIOS and restart

Windows should now launch as it did before, even my last browser session appeared and lost nothing from c:\ drive!

Reply | Quote

That sounds like the fix for a retired boot key which did actually happen but I can’tsee that being an issue today.-

https://www.computerworld.com/article/3528302/the-mess-behind-microsoft-s-yanked-uefi-patch-kb-4524244.html

Now you have the key and hopefully you have a recovery media to boot so boot that (which will need the key) and see if start-up repair can resolve the issue:

https://support.microsoft.com/en-us/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5

If that fails the problem is either not a problem with an easy to fix issue (which could include a bad BIOS setting) or a hardware issue. If you have an old Windows 7 CD, hitting the space bar as that starts should get you an option to run a memory test, and the XP/Zip download of crystaldiskinfo from Crystaldewworld extracted to a USB (or the recovery media.. run DiskInfo32 or DiskInfo64 in accordance with the recovery media used) will give indication of a hard disk problem if that’s the issue (the repair should have at least repaired the file system; check that is still good if the drive is OK).

If that turns up nothing then it’s time to turn on boot logging and try to work out where the log ends up (I’ve had issues there!) and dive into the windows drive (which most cases should be c: for UEFI machines) and fetch \Windows\System32\winevt\Logs\System.evtx out to a USB – you can open it on anohter machine and read the logs which might reveal how far its getting before it stalls.

Finally see if you can run a file check with DISM – if it fails it will indicate if an update has pending actions for example (in which case reboot and leave it overnight just in case, or use /revertpending switch instead of /Cleanup-image /Restorehealth)

dism /image:c: /Cleanup-image /Restorehealth

(might need to check that out – got to go so I haven’t checked the above line..)

 

 

Reply | Quote

Thought I’d missed something – the command needs a source location and the windows folder has to be specified, not root.

The source files can be on the recovery drive of course, but I think you would have to extract the right version of install.esd / install.wim to use it as the source? ( ROUGH FORM “Dism /apply-image /imagefile:install.wim /index:1 /ApplyDir:D:\” – more detail, https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14?view=windows-11)

You’ll have to experiment a bit – using a fresh install (updated to the sane point) on a gash drive seems plausible. detail on repair at

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/repair-a-windows-image?view=windows-11

 

Reply | Quote