Windows 10 Secure Boot Update Execute Bit-Locker Recovery Key!

Microsoft discovered another problem faced by the Windows 10 users, who are recently updating the security patch KB453568o, that bypasses the vulnerability presents in the Secure Boot.

Windows affected versions by this update also include the releases from v1607 to v1909 in Windows 10, Windows 8.1, Window Server 2012, and Windows Server 2012 R2.

Whereas, Secure Boot is the security feature that blocks unauthorized operating system bootloaders executing on the computer using UEFI firmware and TPM chip to prevent rootkits from loading while the OS startup process.

Read the upcoming section to know about how this update affects the Bit Locker?

How Update Provoke Bit-Locker Recovery Mode?

Windows 10 Secure Boot Update Execute Bit-Locker Recovery Key!

While installing the update named KB453568o on the system it will lead the user to the Bit Locker recovery key that is requested after rebooting the system.

However, Microsoft says that “In case the Bit Locker Group Policy uses TPM platform authorization and UEFI firmware configuration then PCR7 is selected by the update policy, which demands Bit Locker recovery key in some particular devices where PCR7 binding is not available. To check the PCR7 binding status, initiate Microsoft System Information tool using admin credentials.”

Bit-Locker is a Microsoft encryption feature that is stated from Windows Vista and applies the XTS-AES encryption algorithm while encrypting the computer hard drives or other removable drives to ensure user privacy and security.

Now, read the upcoming section to check about the workarounds available, while fixing this issue.

Workarounds by Microsoft

Microsoft advises suspending the Bit Locker services for one boot cycle. It also depends on the device Credential Gard configuration as toggled using Mange-bde -Protectors -Disable C: -RebootCount1 and for three reboot cycles use Mange-bde -Protectors -Disable C: -RebootCount3.

These commands temporarily paused the Bit Locker before updating the KB453568o, work as the workaround, and resolve the Bit Locker recovery problem.

As the installation is finished the system gets restarted 3 times in a row and after that, you have to reboot the system once while enabling the Bit Locker protection.

Users who don’t want this resolution or the users who are unable to script the update can simply roll out with thousands of endpoints that advised you to stop the KB453568o security update executing from the Endpoint Manager Configuration Manager.

Leave a Reply