Another one? That could be the reaction of veteran Windows users who read the headline. Microsoft confirmed another BitLocker related issue in Windows 11. This one may be caused by installing the most recent cumulative update for the operating system.
In the Known issues section of the update, Microsoft confirms that devices might boot into the BitLocker Recovery screen and not the desktop.
According to the description, the issue is caused by an “unrecommended BitLocker Group Policy configuration”. Only a “limited number of systems” are affected according to Microsoft. The company says that the issue affects only systems for which all of the following conditions are true:
- BitLocker is enabled on the OS drive.
- The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
- System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as “Not Possible”.
- The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
- The device is not already running the 2023-signed Windows Boot Manager.
Devices that meet the conditions may boot into recovery mode after installing the KB508376 for Windows 11, versions 24H2 or 25H2.
A workaround is available to remove the Group Policy configuration before installing the update.
- Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
- Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
- Set “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured“.
- Run the following command on affected devices to propagate the policy change: gpupdate /force
- Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C:
- Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C:
- This updates the BitLocker bindings to use the Windows-selected default PCR profile.
Microsoft plans to release a permanent fix in the future to address this. Windows users who use a Microsoft Account can look up the recovery key for BitLocker online.
Ohhh have I been getting calls on this!
Clients both commercial and residential freaking out when they see that blue bitlocker screen. Their number one reaction is ‘has the machine somehow been infected?’ I’m like YES! by Microsoft’s machinations! LOL
Been using a work around somewhat like the one you’ve listed here but in a few cases, nothing would work other than having the user sign-in to their Microsoft account and actually go through the process of using the stored recovery key. Many didn’t even realize they had microsoft accounts – didn’t use the one that microsoft encouraged them to sign-up for or had long forgotten their credentials for it.
Two cases to date, nothing worked at all and in both instances, it was decided to do a full wipe and reset. THANKS MICROSOFT!!