Updating secure boot certificate triggering BitLocker
Posted by therealyellowranger@reddit | sysadmin | View on Reddit | 13 comments
Has anyone else encountered issues where devices prompt for BitLocker recovery after applying the Secure Boot certificate update via the Microsoft registry method?
Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support
It doesn’t appear to impact all machines. In affected cases, entering the BitLocker recovery key allows the system to boot normally. Some users also report seeing a blank blue screen, which can still be bypassed by entering their password (even though nothing is visible) and pressing Enter.
jamesaepp@reddit
New article as of today.
https://support.microsoft.com/en-us/topic/troubleshooting-5d1bf6b4-7972-455a-a421-0184f1e1ed7d#bkmk_common_failure_scenarios_and_resolutions
Ambitious-Airport360@reddit
Had 2 of these this morning, so this is good to know. Thanks!
therealyellowranger@reddit (OP)
interesting. Good find. Coincidence that it was published yesterday. No where on the original MS article link did it mention Bitlocker.
Smith6612@reddit
This article is pretty spot on with some of the stuff I've seen.
A system I had to troubleshoot two days ago ended up in a broken state where the hardware itself was acting like it couldn't initialize itself. Even after a hard shutdown and power up.
I had to physically remove power from the computer, then re-connect it to power, for the system to boot back up. After Windows loaded up, I saw the lovely "Windows is installing updates" screen, and saw that the Secure Boot Database Update was applied to the system when it broke.
Was almost afraid the computer died, thankfully it didn't. There's going to be some rough upgrades happening!
frozenbayburt@reddit
Has anyone found the root cause of this issue?
After the Secure Boot certificate update, it keeps asking for the BitLocker recovery key repeatedly.
TroubleHumble799@reddit
Same thing happening with our estate. 5% of devices are going into bitlocker recovery loop. Complicated by using numeric startup pin.
Currently having to disable bitlocker temporarily and then decrypt the disk.
Then re-encrypt the disk and add back a pin.
No rhyme or reason. Some devices absolutely fine and no issues after secure boot update.
therealyellowranger@reddit (OP)
should've stopped after entering in the bitlocker key and cert updated. sounds like a bigger issue then.
Altruistic-Can2572@reddit
Anyone else having issues with machines not getting all 4 new certs, if so look at bios settings msuefica. It needs to be enabled.
bjc1960@reddit
No, all our ours fail for the 65000 license error
itskdog@reddit
Do they have all the right Microsoft domains available to contact over the internet? They pushed something server-side (that doesn't require a CU to fix) to resolve the issue with subscription activation. You should have seen the number of failures on that configuration policy slowly go down.
bjc1960@reddit
I read that too, but I still have issues. All users are M365 E5 Enterprise licenses for Windows, but were purchased with "Pro" (OEM) with the Dell laptops.
I had a detect/remediate with ClipDLS.exe removesubscription and ClipRenew.exe. I have another script for the reg key.
I assume that can get to the website, what is the site?
I had to rebuild my computer for a new disk and it picked up the fix somewhere during those few hours of installing, reinstalling.
itskdog@reddit
I'm not an expert there, I'm afraid, just regurgitating what I remember from Rudy's blog on PMPC.
Master-IT-All@reddit
This is what I would expect to occur if you don't pause Bitlocker before enabling the updates.
IPause Bitlocker for two restarts using manage-bde
Update the registry
Start the scheduled task
Restart
Restart
End user Logon