Five years ago, Microsoft made a commitment to improve its update process following a series of problematic Windows updates. As part of this initiative, the company introduced a "release health dashboard" designed to provide users with insights into the status of known issues associated with each update. While this transparency is commendable, it can sometimes lead to more questions than answers.
A recent example involves the July 2024 security update, which has been flagged on the release health dashboard due to a known issue affecting devices running Windows 10, Windows 11, and various versions of Windows Server. Specifically, some users have reported that their devices may boot into BitLocker recovery mode following the installation of this update. Instead of reaching the familiar login screen, users are confronted with a blue screen prompting them to verify their identity to recover their data.
If you see this screen, something went wrong at startup and you need to prove your identity to recover your data.
As noted in Microsoft’s advisory, this situation is not typical following a Windows update. However, the report does not specify the cause of the issue. It does hint that users with the Device Encryption option enabled may be more likely to encounter this problem.
How widespread is this bug?
In a rather frustrating turn, Microsoft has not provided details regarding the prevalence of this issue or its triggers. It is clear that not every device receiving the July 2024 security update is affected; otherwise, the update would have been retracted immediately. In my own testing, I have not encountered this problem, nor have I received reports from readers experiencing it. A search through Microsoft’s community forums yielded no related discussions.
However, on platforms like Reddit, several network administrators have reported that this issue has impacted multiple devices within their organizations, particularly HP and Lenovo laptops managed on corporate networks that received firmware updates during the July 2024 Patch Tuesday release. When I reached out to Microsoft for further clarification, a spokesperson indicated that they had no additional information beyond what was already available in their resources.
Why is this happening?
BitLocker serves as a robust security feature, encrypting the entire drive to prevent unauthorized access. It operates in conjunction with a Trusted Platform Module (TPM) and Secure Boot to securely save a fingerprint of the boot configuration. When users encounter the recovery prompt, it typically indicates that something about the boot process appears unusual to BitLocker, prompting the request for a recovery key instead of proceeding to the login screen. This can occur for various reasons, not all of which are linked to external threats.
Microsoft’s support article outlines numerous scenarios that could trigger BitLocker recovery mode, including changes to the boot manager or NTFS partitions, disabling the TPM, or transferring a BitLocker-protected drive to a new computer. Notably, upgrading critical early startup components like BIOS or UEFI firmware can also initiate this recovery process. It seems that this may be the case for the affected laptops, as firmware upgrades are intended to suspend BitLocker encryption during installation, but this may not have occurred as expected.
What’s the difference between BitLocker and Device Encryption?
Device Encryption is a feature available on all modern PCs designed for Windows 11, functioning across all Windows editions, including Home. It encrypts the system drive by default but activates only if certain hardware requirements are met. BitLocker, on the other hand, offers more advanced encryption options and management tools but is typically available only on Pro and Enterprise editions of Windows.
