Microsoft has confirmed a BitLocker bug that was introduced in KB5012170. After installing this patch the device goes to the BitLocker recovery where it asks to provide recovery keys.
KB5012170 updates DBX, a special database that includes "bad" UEFI modules. They known to be defective or vulnerable, so UEFI won't run them. So KB5012170 delivers the updated set of module signatures.
There is some issue with this database, which affects legitimate UEFI modules and breaks BitLocker. For affected devices, Microsoft provides the following workaround.
First of all, you must supply your BitLocker recovery key in order to start your device.
If you have not installed KB5012170 yet and have BitLocker enabled on your device, you need to temporarily suspend BitLocker before installing. Do the same if you have installed the buggy update but didn't yet restarted the OS. Here's how to suspend BitLocker.
- Open a new command prompt as administrator.
manage-bde -protectors -disable %systemdrive% -rebootcount 2
- Install the update KB5012170, if not already installed.
- Restart Windows.
- Restart the device once again.
- BitLocker should automatically be enabled after two boots. If you want to manually resume BitLocker to verify that it is enabled, use the following command:
Manage-bde -protectors -Enable %systemdrive%.
Microsoft is working on a permanent solution. They will provide an update pretty soon.
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: