Windows 10/11: Microsoft has published a fix for OOBE Bitlocker Bug

[German]Microsoft does promote Bitlocker for encrypting drives under Windows. But there are always bugs that prevent encryption or allow third parties unauthorized access to encrypted drives. A Microsoft supporter has now revealed a case where Bitlocker is not enabled in the out-of-the-box (OOBE) phase of Windows installation. There are ways to work around this (yet very exotic) bug in Windows 10/11.

BitLocker is a feature in Windows 10/11 that encrypts the hard drive of devices to protect the data stored there from unauthorized access. I had already reported in 2019 in the blog post Windows 10: Bitlocker encrypts automatically that this encryption is launched automatically on devices. This can certainly cause awkward moments if users do not know the recovery key (see Windows 10: Bitlocker encrypts automatically). On the other hand, it has been known since November 2022 that there is a Bitlocker bypass vulnerability CVE-2022-41099 in the Windows Recovery Environment (WinRE). Patching it, however, is a challenge (see Windows 10/11: Microsoft releases script for WinRE BitLocker bypass fix).

Bitlocker fails on reboot

There are some scenarios where administrators and users need to temporarily override BitLocker. This is the case, for example, when a system's BIOS or firmware is updated using a manufacturer's update program.

In such scenarios, you can specify how many restarts of the system to suspend Bitlocker encryption before BitLocker resumes encryption. This restart count parameter can be set using the Suspend-BitLocker PowerShell cmdlet (see suspend bitLocker). In the following example, Bitlocker is suspended until the client is restarted 3 times:

Suspend-Bitlocker -MountPoint "C:" -RebootCount 3

Helmut Wagensonner, a cloud solution architect engineer at Microsoft, recently uncovered a Bitlocker bug in Windows 10/11 in the Techcommunity post Bitlocker Is Not Resuming After Reboot Count Has Been Reached. Wagensonner encountered a customer's Bitlocker automatic resume failing after the specified number of reboots if the out-of-the-box experience (OOBE) process was not connected during setup. He says:

However, there is a known issue with BitLocker that you may encounter: BitLocker will not automatically restore after stopping if OOBE (Out of box experience) is not completed. OOBE is the process of setting up your device for the first time after installing Windows 10.

This means that the system in question will be left unprotected by Bitlocker. The only solution in this case is to manually ask BitLocker to encrypt again. This can be forced with the command-line tool manage-bde within an administrative prompt window.

manage-bde -resume C:

Alternatively, the following PowerShell command could be used:

Resume-BitLocker -MountPoint "C:"

In the Techcommunity article, Wagensonner also reveals how to use PowerShell to query how often Windows 10/11 has to be restarted before Bitlocker starts encrypting again. The article also reveals the scenarios where Bitlocker has to be disabled and the subsequent resumption fails. (via)