[German]The security updates rolled out on the July 2024 patchday (e.g. KB5040442 for Windows 11, but also for the Windows 10 counterpart), there are issues on systems on which Bitlocker is activated. I got reports from several German blog readers, reporting that the systems suddenly ask for a Bitlocker key (the recovery key).
Advertising
Update KB5040442 for Windows 11 23H2-22H2
Cumulative Update KB5040442 has been available for Windows 11 22H2 and 23H2 since July 9, 2024 and is automatically installed on unmanaged systems via Windows Update. The update includes quality improvements and security patches. Details on the improvements can be found in the support article. Information on the security fixes can be found in the blog post Patchday: Windows 11/Server 2022-Updates (July 9, 2024).
Update KB5040427 for Windows 10 Version 21H1 – 22H2
Cumulative Update KB5040427 has been available for Windows 10 21H2-22H2 since July 9, 2024. With 21H2, only the Enterprise LTSC and IoT version will receive the update (for the last time). The update only contains security fixes, but no new operating system functions (see also Windows 10/Server Updates (July 9, 2024)).
Windows 10/11 suddenly asks for Bitlocker key
Something must have gone wrong with Bitlocker in Windows 10 and Windows 11 as a result of this update, because numerous users have reported in the blog that the systems suddenly asks for Bitlocker key.
German blog reader Sven1403 was the first to respond with this comment, writing on July 11, 2024 that there were some cases in his environment where the Bitlocker key was queried after restarting after the update installation. This mainly affected Windows 11 systems. However, a Windows 10 computer was also involved. The user then asked whether anyone else had noticed this.
In this comment, German blog reader Martin Brede confirms, that in his environment, the request for the Bitlocker key appears on several systems after rebooting as part of the installation of the Windows 11 update KB5040442. So far, these have all been HP Z2 workstations, he states. In a follow-up comment, user DERZEIT confirms these Bitlocker key queries, but writes that they are Lenovo devices.
Advertising
In my opinion, however, the computer manufacturer is irrelevant.
Blog reader Sven1403 confirms in this comment that the Bitlocker query no longer appears when restarting after uninstalling update KB5040442.
Is it due to the WinRE update KB5034441?
I have a suspicion about this whole story. Microsoft has been trying to patch a Bitlocker vulnerability (CVE-2024-20666) with the KB5034441 update since January 2024. On many systems, however, the update installation fails with the installation error 0x80070643. I reported this in several posts here in the blog (see article links at the end of the post).
On July 9, 2024, Microsoft then adjusted the description for update KB5034441 and describes the scenarios in which the update is not (or no longer) offered (e.g. if a recovery partition is missing). neowin.net reported on this here. At the same time, I saw that the blog post Microsoft Security Update Summary (July 9, 2024) also mentions Bitlocker in the list of corrected functions. Microsoft has patched something in this area of Bitlocker that is causing the behavior.
In this comment, Bolko points out how BitLocker can be deactivated on systems via registry intervention. In the blog post Windows 10/11 Home Edition and the OEM Bitlocker pitfall, I pointed out that BitLocker is automatically activated on Windows systems with Home Editions. However, most users are not aware of the Bitlocker recovery key.
Similar articles:
Microsoft Security Update Summary (July 9, 2024)
Patchday: Windows 10/Server Updates (July 9, 2024)
Patchday: Windows 11/Server 2022-Updates (July 9, 2024)
Windows Server 2012 / R2 und Windows 7 (July 9, 2024)
Microsoft Office Updates (July 9, 2024)
Windows WinRE update (for Bitlocker Bypassing vulnerability CVE-2024-20666) fails with installation error 0x80070643 (Jan. 2024, KB5034441)
Microsoft is working on a fix for the installation error 0x80070643 (WinRE update KB5034441)
Microsoft's PowerShell script against installation error 0x80070643 for KB5034441 (Jan. 2024)
Windows 10: Update KB5034441 fails again with error 0x80070643 in February 2024
Windows 10: Update KB5001716 is installed secretly; throws error 0x80070643
Windows 10/11/Server 2022: Microsoft says "No more fix for installation error 0x80070643 during WinRE update"
Advertising
Minor thing, the final update for Win 10 21H2(for enterprise) was June. No July 2024 update was made available for Win 10 21H2 (server 21h2 did receive an update). Even Microsoft seems confused about this, but I'm sure about it. We're just now rolling out the 22H2 feature update via ConfigMgr enablement package, and machines are simultaneously getting the Win10 22H2 July update; we've not had any bitlocker prompts so far (knock on wood)…