|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
ISSUE 21.31.1 • 2024-07-31 By Susan Bradley It’s time to check whether your boot drive is encrypted. As I predicted, Microsoft’s July 2024 security up
[See the full post at: MS-DEFCON 3: Secure Boot triggers recovery keys]
Susan Bradley Patch Lady/Prudent patcher
For those who like myself, do not know what a Firmware Binary is, let alone how to upload it, Ars Technica provides ways to find out whether your firmware is affected.
The first is for Windows Powershell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
PK).bytes) -match “DO NOT TRUST|DO NOT SHIP”
If the output is “True”, you have a problem.
For Linux users, the Command Line code is:
$ efi-readvar -v PK
You will see output something like:
Variable PK, length 862
PK: List 0, type X509
Signature 0, size 834, owner 26dc4851-195f-4ae1-9a19-
fbf883bbb35e
Subject:
CN=DO NOT TRUST – AMI Test PK
Issuer:
CN=DO NOT TRUST – AMI Test PK
Or a legitimate Certificate output. (I won’t post my own results, as the Certificate may contain security information.)
I think this method is easier to use than trying to figure out how to upload your current firmware binary to a website. Safer, too.
-- rc primak
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI PK).bytes) -match “DO NOT TRUST|DO NOT SHIP”
Note: to get this Powershell command to work you must replace the “smart quotes” WordPress placed around “DO NOT TRUST|DO NOT SHIP” with regular quotes like this.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI PK).bytes) -match "DO NOT TRUST|DO NOT SHIP"
Thanks for your posts.
In my house, we have three Win11 and one Win10 machines. Two of the Win11 machines had Bitlocker activated and the one Win10 machine also had Bitlocker activated. I was able to turn off Bitlocker on all three machines. We were never asked to activate Bitlocker. I hope Microsoft gets their head out of their rear on this one.
Just to underline Susan’s point, I checked both of our computers for Bitlocker. On my Dell XPS it was turned off – fine. On my wife’s Dell Vostro, it was turned on, presumable by default from installation because it is a business laptop. I didn’t know and have no idea where the recovery key is. The drive is now decrypting. Thanks Microsoft.
Chris
Win 10 Pro x64 Group A
When you use Macrium as backup, the first thing you should do is make a bootable USB Rescue Drive. You will need a 8-32GB USB Drive. The procedure is a choice in the Macrium Menu. When you finish making the bootable Rescue USB, you need to verify that the computer will boot from the drive, that the Macrium software that starts when you do, and it can see the external HDD and the backup file stored on it.
Then you restore the full image backup to the computer’s drive using the Restore option in the Macrium software running from the bootable USB.
Hey Y’all,
I’ve just updated my CMsLocalPCInfo powershell program (v 6.40.10) to include information on compromised keys. Thanks to R C Primak for the command!
I’ve test all of my machines 2 Dells & 1 Minis Forum and all return “false” meaning the bad keys were not found.
If you try this out and get a True please let me know so I know the code is working properly. I’d also appreciate anyone who doen’t have Secure Boot enabled to check it out. You should NOT see that line in the output.
I’d also appreciate anyone who doen’t have Secure Boot enabled to check it out. You should NOT see that line in the output.
Windows 10 22H2 without Secure Boot. Verified that line doesn’t appear!
However, there’s a problem where the actual values shown in the Value column on both the General Hardware and Processor (CPU) screens get truncated to only 5 characters (i.e. the width of the column header.)
I checked all the other tabs and those 2 are the only place where it happens.
Note: running the default Powershell v5.1 that comes with Windows 10.
The Write File button does the same thing.
What causes it is, unless you deliberately override it, the output width of any tables the script creates is controlled by the width of the powershell “prompt” window that ran the script; which in my case is set for 30 characters.
The fix is to always specify a table width value that’s large enough to display all possible column values by including the following after the Format-Table command.
| Out-File -width ###
Looking thru your code, I see you did do that for some, but not all, Format-Table commands.
FYI, for me, a ### value of 136 normally allows all the columns to show full width values.
Looks good now 
Found another problem with your script.
The Logical Disks tab incorrectly shows my mapped external drive as C: when it should be A:
What’s stranger is, if I run the actual powershell command you use in your script to detect the drive letters directly from a powershell prompt, drive A: doesn’t show at all.
So why is your script showing it and with the wrong drive letter?!?!
n0ads,
Try running the script from a non-elevated PowerShell and see what you get.
Windows doesn’t recognize Mapped drives that are not created at the same level, e.g. User vs Admin.
After mapping a drive:
Not quite sure why the line jump. The A: drive shouldn’t show up on that screen it should be on the Mapped drives screen as shown above.
You’re a good tester as you are obviously running stock settings where I am.
Thanks Again!
Drive A: does show up on the Maps and Shares tab like it should.
Try running the script from a non-elevated PowerShell and see what you get.
Don’t have a non-admin user on my system so there’s no way for me to do that, but I figured out why Drive A is showing up on the Logical Disk tab.
The Function LogicalDiskTab section of your script includes Where-Object { $_.DriveType -ne 5 } so it ignores “compact disks” when gathering the logical disk info.
The problem is, Drive A: is a DriveType 4 network disk, which isn’t being ignored, so it gets added to the list of detected local disks.
But the next command in that function only gets drive letters for actual local disks so it doesn’t detect drive letter A.
The display of logical drive letters are then off by one row because there’s an extra row for my network drive that got detected as if it were a local disk!
The fix is to modify line 2718 to Where-Object { $_.DriveType -ne 4 -And $_.DriveType -ne 5 } | so it also ignores network drives.
I did that with my copy of your script and here’s what the Logical Drives tab now shows.
BTW, you might want to also modify that section so it ignores disks with a 0 size like my Y & Z which are SD Card and Micro SD Card readers in a USB hub attached to my PC that are assigned driver letters regardless of whether there’s actually a card in them or not.
I’m curious as to why when I mapped a drive on my NAS as A: it didn’t show up on the Logical Disks tab with the misalignment like yours did.
Actually, the Logical Disk screenshot you posted above does show the same mismatch.
It shows your mapped A: drive as C, your Windows C: drive as G, and your Data G: drive with no letter.
The new version did eliminate my mapped network drive A: but it still shows my empty SD card reader slots as drive Y & Z.
I found the following modification to the code on line 2730 will ignore them unless there’s actually an SD Card in them.
Where-Object { $_.DriveType -ne 4 -and
$_.DriveType -ne 5 -and
$_.Size -ne $Null } |
Without SD Card in reader
With SD Card in reader.
BTW, I’ve noticed that it sometimes takes an extra long time for your script to get past the Getting Windows Update Info step (50 – 70 secs.)
Why?
n0ads,
Ok I added the parameter -ActiveDrivesOnly.
I’ve tried testing it but unfortunately my Dell 8920 doesn’t assign a drive letter to the SD Card reader until you place a card in the drive. It may be due to my use of USBDLM software.
No Card in Drive:
Card in Drive:
Before I post this one would you mind testing this by replacing the block of code in your current copy with this:
Function LogicalDiskTab {
#Excluding Network Drives (4) and DVD/CDs (5)
[PSObject]$Logical = Get-CimInstance -Class Win32_LogicalDisk |
Where-Object { $_.DriveTYpe -ne 4 -and
$_.DriveType -ne 5 }
If ($ActiveDrivesOnly.IsPresent) {
$Logical = $Logical | Where-Object {$_.Size -ne $Null }
}
$Logical = $Logical |
Select-Object @{N="DriveLetter";E={$_.DeviceID[0]}},
VolumeName, Filesystem, DriveType, Compressed,
Size, FreeSpace |
Sort-Object -property DriveLetter
#------ Replace to but not including the code below:
[PSObject]$Volume = Get-Volume |
Where-Object DriveType -ne "CD-ROM" |
Where-Object DriveLetter -ne $Null |
sort-object -property DriveLetter
Thanks
Like most users, I run .ps1 files directly from Explorer by double clicking them so no argument was applied.
So I ran it from a cmd prompt with the -ActiveDrivesOnly argument and it still shows my empty SD card reader slots as drive Y & Z.
BTW, since I had a full size cmd prompt open this time, I saw the following 2 errors when the script ran.
I didn’t notice them before because the powershell “prompt” I use to run .ps1 scripts is set to only display 30 x 3 characters.
I also noticed two new issues with how the script works.
1- When the progress bar closes and the main window opens it’s not in focus until you click on it; notice how the title in the below screenshot is grayed out. Don’t know if that’s unique to my particular system or not??
2- The Boot Keys Compromised line that’s only suppose to display if secure boot is enabled (which it’s not on my system) now gets displayed. I assume that’s due to some sort of code change you made?
The strange part is, the script was run with Admin privileges and I can run the actual code to check for compromised keys and it returns a false results. So why does the script indicate I need Admin Privilege to show that result?!?!
BTW, since I had a full size cmd prompt open this time, I saw the following 2 errors when the script ran.
Ok, I now know why those 2 errors happened.
Error #1 happens because my PC doesn’t have a WiFi adapter so the WLAN AutoConfig service (WlanSvc) is not running.
FYI, the default start type for that service is “Manual” so, if there’s no WiFi adapter, it’s normal for it to not be running.
That means the netsh wlan show profiles command your script uses to detect WiFi returns The Wireless AutoConfig Service (wlansvc) is not running. when there’s no WiFi adapter instead of the ”*no wireless interface*” your script checks for.
FYI, the ”*no wireless interface*” result indicates there is a WiFi adapter but it’s currently disabled.
So when the next section of code attempts to generate a count the $WiFi.Count variable is NULL which causes the error.
Error #2 happens because your script is looking for Event ID 27 to determine the boot type and there is no such event ID in my system logs, thus the query results are NULL which causes the error.
n0ads,
Been doing a lot of refactoring to get rid of the problems…I Hope. I’ll post a new version soon.
After a Google search, I think the problem is Event ID 27 isn’t really the correct ID for determining the boot type (at least on my system.)
I ran the code interactively and it returned this on my machine.
ProviderName: Microsoft-Windows-Kernel-Boot TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 8/4/2024 2:44:32 PM 27 Information The boot type was 0x0.
Pretty much what I was after. It also co-insides with my last reboot.
Here’s a couple of the latest screen captures:
Secure Boot Enabled:
Secure Boot Disabled:
Wi-Fi Enabled:
I’m still checking your previous posts to make sure I don’t miss anything, that I can fix…LOL
The Boot Keys Compromised label is working as it should again (i.e. it does not display with Secure Boot disabled.)
The -ActiveDrivesOnly option works (although I’ve modified my “personal” copy of your script so it’s always true!)
I’m still getting the same $Events[0].ID -eq 27 NullArray error because the Get-WinEvent function returns a No events were found that match the specified selection criteria error (even when run manually from Powershell ISE!)
Not sure why that’s happening as the Microsoft-Windows-Kernel-Boot event log the Get-WinEvent function looks at is enabled and configured for ”EnableLevel”=dword:00000000 (i.e. log everything) in the registry!?!?
Ran with no errors!
Ok, I found another issue that’s related to the change you made to eliminate the $Events[0].ID -eq 27 NullArray error I was getting.
The General tab in the Windows OS section shows the following for Last Boot and Up Time.
That’s highly misleading as the actual problem isn’t that I didn’t run the script as Administrator, I did, it’s the fact my Microsoft-Windows-Kernel-Boot event log is empty!
I dug into your code and the result you posted above from your Microsoft-Windows-Kernel-Boot event log and “assume” the result would have been something like this if my log weren’t empty.
Time Zone GMT -4 Daylight savings time. Last Boot 08/11/24 09:22 The boot type was Cold boot from full shutdown. Up Time 12:17 Compacted False
Since it wasn’t and my Googling of the empty Microsoft-Windows-Kernel-Boot event log problem indicated I’m not the only Windows 10/11 user who’s encountered that issue (and the only fix seems to be a CLEAN install of Windows), I propose you make the following code change to your script.
Use (Get-CimInstance win32_Operatingsystem).lastbootuptime to calculate the Last Boot and Up Time values and set the Boot Type as a completely separate value.
Here’s the modification needed to your existing code to do this.
Change
$LocalDateTime = $CurOS.LocalDateTime
$GWEArgs =
@{ProviderName = 'Microsoft-Windows-Kernel-Boot'
MaxEvents = 100
ErrorAction = 'Stop'}
$FilterID = "27"
Try {
$Events = Get-WinEvent @GWEArgs
$Events = $Events |
Where-Object {$_.id -like "$FilterID"} |
Select-Object -First 1
#If next stmt errors increase MaxEvents above!
$LastBootupTime = $Events.TimeCreated
$PreUpTime = $LocalDateTime - $LastBootupTime
If ($PreUptime.Days -gt 0) {
$UpTime = "{00:dd} Day(s) {00:hh}:{00:mm}" -f $PreUptime
}
Else {
$UpTime = "{00:hh}:{00:mm}" -f $PreUptime
}
$LastBootStr =
(Get-Date ($Events.TimeCreated) -format $LocalDTFmt) + " " +
(Get-Date ($Events.TimeCreated) -format $LocalTMFmt)
If ($Events.ID -eq 27) {
$BootType = @("Cold boot from full shutdown",
"hybrid boot (fast startup)",
"Resume from hibernation")
$BTIndex = $Events.Message.Substring(20,1)
$LastBootStr += " " + $BootType[$($BTIndex)]
}
} #End Try
Catch {
$UpTime = "Requires Administrative Access"
$LastBootStr = "Requires Administrative Access"
}
To
$LocalDateTime = $CurOS.LocalDateTime
$LastBootupTime = (Get-CimInstance win32_Operatingsystem).lastbootuptime
$PreUpTime = $LocalDateTime - $LastBootupTime
If ($PreUptime.Days -gt 0) {
$UpTime = "{00:dd} Day(s) {00:hh}:{00:mm}" -f $PreUptime
}
Else {
$UpTime = "{00:hh}:{00:mm}" -f $PreUptime
}
$LastBootStr =
(Get-Date ($Events.TimeCreated) -format $LocalDTFmt) + " " +
(Get-Date ($Events.TimeCreated) -format $LocalTMFmt)
Try {
$Events = Get-WinEvent @GWEArgs
$Events = $Events |
Where-Object {$_.id -like "$FilterID"} |
Select-Object -First 1
#If next stmt errors increase MaxEvents above!
If ($Events.ID -eq 27) {
$BootType = @("Cold boot from full shutdown",
"hybrid boot (fast startup)",
"Resume from hibernation")
$BTIndex = $Events.Message.Substring(20,1)
$BootType = $BootType[$($BTIndex)]
}
} #End Try
Catch {
$BootType = "Unknown"
}
Change
$WINDict.Add(' Last Boot',"$LastBootStr")
$WINDict.Add(' Up Time',$UpTime)
To
$WINDict.Add(' Last Boot',"$LastBootStr")
$WINDict.Add(' Boot Type',$BootType)
$WINDict.Add(' Up Time',$UpTime)
I did this to my copy of your script and here’s what the Windows OS section now shows.
BTW, I’ve been looking for another way to determine the Boot Type when the Microsoft-Windows-Kernel-Boot event log is empty but, so far, haven’t found one that can do more than simply indicate whether it was a Cold Boot or a Warm Boot.
I think that all this discussion of the PowerShell script is interesting, but if you haven’t noticed – you have hijacked most of this topic.
Please create a new post and take the discussion there and terminate this discussion in this thread.
That’s what it looks like when automatic Device Encryption is on, but an administrator has not yet signed into Windows with a Microsoft account. It’s ready but not yet protected with a hidden key, and Recovery Key stored in a Microsoft account. (Unlocked really just means you’re currently using it.)
Updated ok
There is no doubt forcing BitLocker on is a GIANT misstep by Microsoft. No warnings, notices, explanations.
There is also this: if you have multiple computers with BitLocker turned on AND you changed your device’s name {aka Computer name} so as you can readily identify it in the list of BitLocker devices via your Microsoft account, GOOD LUCK.
The list contains the generic name assigned when the computer was “born” by the manufacturer and NOT the name you changed it to! In other words, Microsoft is not updating the name change for the BitLocker device.
I ran into this for a customer’s account. I needed the Bitlocker key turned off to access the drive via USB, signed into their Microsoft Account and saw 6 different GENERIC computer names! None matched the name of the computer I was working on. I had to paste the key of each computer listed to get the right one {fifth one of six was the one}.
This can certainly confuse a non technical person. It is a minefield just getting to the BitLocker area in a Microsoft account then trying to find your computer in the list that may appear.
I feel that when doing an initial setupof a windows computer, BitLocker should be explained as to what it is, ask to turn it on or not and divulge it uses a 48 numeric character set to access it and HOW to find it to save it somewhere.
I would have no problem believing a turned on BitLocker key would be a thorn in the side in many a repair shop’s business. Think of a call to a customer asking for their BitLocker key would entail.
Microsoft needs to do a {much} better job with BitLocker integration.
There is also this: if you have multiple computers with BitLocker turned on AND you changed your device’s name {aka Computer name} so as you can readily identify it in the list of BitLocker devices via your Microsoft account, GOOD LUCK.
The list contains the generic name assigned when the computer was “born” by the manufacturer and NOT the name you changed it to! In other words, Microsoft is not updating the name change for the BitLocker device.
It may depend on WHEN the computer name was changed, as I have three Bitlocker keys for different computers stored at https://account.microsoft.com/devices/recoverykey and each one has recorded against it my choice of computer name.
I ran into this for a customer’s account. I needed the Bitlocker key turned off to access the drive via USB, signed into their Microsoft Account and saw 6 different GENERIC computer names! None matched the name of the computer I was working on. I had to paste the key of each computer listed to get the right one {fifth one of six was the one}.
This can certainly confuse a non technical person. It is a minefield just getting to the BitLocker area in a Microsoft account then trying to find your computer in the list that may appear.
When a Bitlocker recovery key is requested, a recovery key ID is supplied:
The recovery key ID (just first eight characters) is listed for each recovery key stored in a Microsoft account:
(These aren’t my devices, which have more meaningful names)
It should always be possible to find the correct recovery key without trial and error.
This is a bit hard to understand with all the various terms but if Bitlocker is disabled (off) everything will update as normal on Win 10 pro and this will not be something to worry about?
Jim, I have Bitlocker installed on my HP Home computer (came with it). I have Bitlocker Disabled (turned off). I am on Win 10, 22H2. The updates installed without issue with Bitlocker disabled. Updates did not turn Bitlocker on nor was I prompted to disable it. No issues with monthly updates. If Bitlocker is turned on for others…it might pose a problem but I keep mine turned off. I do have my Bitlocker keys in a safe place in case it ever accidently gets turned on. Hope this helps answer your question about installing July’s updates with Bitlocker “disabled”, “turned off”.
It does help a great deal, thank you very much for answering. Since I have never turned it on I assume I am safe then. 
I have set up my Win10 22H2 Pro system using a local account. That is, I do not access my system by logging on to a Microsoft account. Does anyone know whether a system set up with a local account is immune from the potential BitLocker problem?
BTW, on my system, Control Panel > All Control Panel Items > BitLocker Drive Encryption tells me that BitLocker is off on both my drives.
Second BTW. I logged into my Microsoft account using the link https://account.microsoft.com/devices/recoverykey and was told: “You don’t have any BitLocker recovery keys uploaded to your Microsoft account.”. I don’t recall ever being informed that I have BitLocker recovery keys when I installed and configured my system. So, if they do exist, I wouldn’t have the faintest idea where they are. So, I ask the question again. Is my system immune from the potential BitLocker problem?
I updated 1 computer so far. BitLocker shows off in manage. All went fine as far as I can see so far. W10 22H2. MSRT, KB 5041019 .NET, KB 5040427 Cum. 22H2. 19045.4651
Don't take yourself so seriously, no one else does 
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).
2nd computer same as 1st, no problems so far ( fingers crossed )
Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).
BitLocker has absolutely no business being automatically enabled on consumer PC’s, or even business PC’s in my opinion. We don’t use it at my office because it’s more trouble than it’s worth. Super easy to bypass for someone with a moderate amount of skill, a pain for ordinary users when they encounter a problem.
Windows Updates are cumulative. What’s in this month’s update will also be in next month’s update.
Are you using an MS ID in the computer that was encrypted? If so, visit your MS account and locate the encryption key. Record it and put it in a safe place locally (in case you can’t access the online ID).
Windows Updates are cumulative. What’s in this month’s update will also be in next month’s update.
Surely, this cannot be correct when there is a major problem in an update?
As I stated in #2692135, I don’t have any recovery keys for my Windows 10 22H2 Pro system. So, if I install KB5040427 (the 2024-07 CU) and encounter the BitLocker problem, yes, I can restore my system from a system image. However, if what you say is true, I’m never going to be able to install another Windows update again because I will always encounter the same problem!
In the KB article for KB5040427, Microsoft do state, “We are investigating the issue and will provide an update when more information is available.”. I am assuming therefore that, at some point, the issue will be corrected in KB5040427, and hence in subsequent updates. I’m minded to wait until that happens unless someone can reassure me that my system is immune from the BitLocker problem.
Window 11 Pro MS Account. Last evening located and turned off Bitlocker, down loaded and installed 3 available updates via WuMgr then sat back fingers crossed. Relatively quick with no problems or surprises. Breathed easy as I do every month after my tip toe through MUM (Microsoft Update Minefield).
PS I have the Bitlocker Key off the computer in a couple of places just in case. I trust Ask Woody and Susan: MS et al? Not so much.
July Updates went well.
2024-07 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5040442)
2024-07 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 23H2 for x64 (KB5039895)
Windows Malicious Software Removal Tool x64 – v5.126 (KB890830)
Had 2 preview updates KB5040527, KB5041169 that I hid.
Windows 11 Pro
Version 23H2
OS build 22631.5189
I clicked on the x to close it and then paused updates and the previews disappeared. I guess stating I “hid” it was wrong?
Windows 11 Pro
Version 23H2
OS build 22631.5189
Some OEMs are enabling Device Encryption automatically on new PCs. I ran into this with Dell and HP as much somewhere around 3-4 years ago.
I updated and all was normal. No Bitlocker triggered.
Is there away that a user, like myself, can find out whether a recovery key has ever been generated for a system?
Yes: manage-bde -status at an admin command prompt.
Look for Key Protectors (as well as encryption and protection).
If you enabled it yourself, you would know where you saved the recovery key.
If it was enabled automatically, the recovery would be in your Microsoft account.
Check BitLocker Drive Encryption Status of Drive in Windows 11 (or 10)
Many thanks for that. I’ve attached the screen output from both manage-bde -status and Get-BitLockerVolume | Format-List. From what I can make out, no recovery keys have ever been generated for either my C: drive or my D: drive. Are you able to confirm?
When I installed my Windows 10 Pro system, my PC was not connected to the Internet. I connected it to the Internet only when it became necessary during configuration. And, even then, I have no record of logging on to my Microsoft account. So, if by some means BitLocker was enabled automatically on my drives, it is difficult to see how the recovery keys could have been stored in my Microsoft account. In any case, I’ve already reported earlier in this thread that my Microsoft account does not contain any recovery keys.
Am I as safe as I could ever could be in order to try to install KB5040427 (2024-07 CU for Windows 10 22H2)?
I do not see any attachment associated with your post.
The way you attach a file:
At the bottom below the the Entry Box, choose “Select File.”
That will open Explorer on your PC. Highlight the file to attach and choose “Open”
That uploads and attaches the file to your post.
You will have an option in the attachment to insert the attachment in content. If you choose that, the attachment will be placed where your cursor is locaated in the content.
In the first Susan Bradley article on this subject #2689954 (dated July 23, 2024):
#2691368 Mike W (me) wrote:
Windows 10 22H2 – Local Microsoft Account – Windows Updates paused until 8/13/24
I am a general user without any PC technical knowledge or expertise. I follow your instructions if they are easy and don’t require expert technical knowledge.
Drive Encryption is ON. I have the option to turn it OFF.
BitLocker is ON. I have the option to turn it OFF.
I have my BitLocker Recovery Key
Should I turn BitLocker OFF and/or turn Drive Encryption OFF (after Susan Bradley changes the DEFCON to ok to allow July Windows updates)?
Is this a simple matter of just turning BitLocker OFF and/or Drive Encryption OFF to install the July Windows Updates?
If I turn BitLocker OFF and/or Drive Encrypton OFF, will it be easy to turn them back ON after the July Windows updates are installed, without having to go through any challenging technical procedure to turn them back ON?
I’m looking forward to the next Susan Bradley advice about this issue.
Thank you for your help.
#2691528 – Susan Bradley replied:
If you know where your recovery key is, and you want bitlocker, I wouldn’t turn it off merely to install updates. In my personal testing it has not triggered asking for the recovery key.
#2692781 – Mike W replied:
I have my BitLocker Recovery Key from my Microsoft Account. What method is used if I need to provide my BitLocker Recovery Key? Will I simply be asked to type my 48-digit Recovery Key or is some other technical method used to provide the Recovery Key?
#2692788 – Susan Bradley replied:
Just manually type it in.
CURRENT STATUS: As always, I will back up my data and create a System Image before installing Windows Updates. I am going to be brave and follow Susan Bradley’s advice. I am not going to turn Encryption Off and not turn BitLocker Off. I am going to install the July Windows Update and hope that the BitLocker Recovery Screen does not appear. If it appears, I will enter my BitLocker Recovery Key and hope that it works.
In addition to following Susan Bardley’s advice, I am taking this approach because I do not want BitLocker to create a different BitLocker Recovery Key if I BitLocker is ever turned back on again.
QUESTION: Is there ANYONE who installed the July Windows Update with Encryption ON and BitLocker ON who did NOT get the BitLocker Recovery Screen?
PKCano – You have helped me a lot on other issues. What do you think about the approach that I will take based on Susan Bradley’s advice?
There is not Local Microsoft account. You either use a Microsoft ID or a Local ID. They are not the same.
I do not have a Microsoft ID. My Win10/11 installations have only a Local ID. So I cannot “finish setting up Bitlocker.” But none of my installations have Drive Encryption turned on either. I do not feel it is necessary considering my use case. So I won’t advise you on the case of encryption, or not.
What I will recommend is, to follow Susan’s advice. She knows what she’s talking about.
QUESTION: Is there ANYONE who installed the July Windows Update with Encryption ON and BitLocker ON who did NOT get the BitLocker Recovery Screen?
Yes.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
