[German]A small addendum to the August 2024 patchday regarding Bitlocker. With the July 2024 updates, there was the problem that systems remained in a query for the Bitlocker recovery key on the next restart. Good for those who had the corresponding key ready. With the security updates from August 13, 2024, Microsoft now claims to have fixed this Bitlocker query bug in all affected Windows versions. Ultimately, however, only the cause was removed by deactivating the July 2024 patch. Anyone wishing to eliminate the CVE-2023-24932 vulnerability must intervene manually.
Advertising
What was the Bitlocker query problem?
After the release of the July 2024 updates, I promptly received reports from readers that these updates force a request for the Bitlocker recovery key when restarting the systems. Blog reader Sven1403 was the first to get in touch with this German comment and wrote on July 11, 2024 that there were some cases in his environment where the Bitlocker recovery key was requested after the reboot following the update installation.
I had touched on this issue in the blog post Windows 10/11 updates (e.g. KB5040442) trigger Bitlocker queries (July 2024), but only referred to Windows 10 and Windows 11 there. Microsoft then confirmed the problem on July 23, 2024 and published the support article Devices might boot into BitLocker recovery with the July 2024 security update in the Windows 11 23H2 Release Health dashboard. I had reported this in timely manner in the blog post Microsoft confirms Bitlocker queries through Windows July 2024 updates.
August 2024 update 'fixes' the Bitlocker bug
Toni had asked here, whether the Bitlocker bug had been fixed with the August 2024 update. This was implicitly addressed in my posts on the August 2024 patchday linked at the end of the article (see Patchday: Windows 10/Server Updates (August 13, 2024)). Microsoft has placed the following note in the various updates for Windows:
[BitLocker (known issue)] A BitLocker recovery screen shows when you start up your device. This occurs after you install the July 9, 2024, update. This issue is more likely to occur if device encryption is on. Go to Settings > Privacy & Security > Device encryption. To unlock your drive, Windows might ask you to enter the recovery key from your Microsoft account.
I have just checked the entry Devices might boot into BitLocker recovery with the July 2024 security update in the Windows 11 23H2 Release Health dashboard. Microsoft explicitly states there that the Bitlocker query problem caused by the July 2024 security updates was fixed in August.
Resolution: This issue was resolved by Windows updates released August 13, 2024 (KB5041585), and later. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
The affected Windows versions were specified by Microsoft as follows:
Advertising
- Windows 11 Version 21H2 – 23H2
- Windows 10 Version 21H2 – 22H2
- Windows 10 Enterprise 2015 LTSB
- Windows Server 2022,
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
The relevant August 2024 updates are mentioned in the August 2024 Patchday posts listed at the end of the article. For Windows Server versions that have fallen out of support, however, an ESU license is required to install the patches.
What's behind the "fix"
A little digression afterwards, or rather a look at what Microsoft means by "problem solved". Readers have already pointed this out, and our colleagues at Bleeping Computer have mentioned it in this article. The information about what happened can be found in Microsoft Advisory CVE-2024-38058 from July 9, 2024, which addresses a Bitlocker bypassing vulnerability that was fixed in July 2024. With an update of the advisory CVE-2024-38058 on August 13, 2024, Microsoft announces the following:
- When customers installed the fix (per July 2024 update) for this vulnerability on their devices, there was feedback about incompatibility issues with the firmware. These resulted in BitLocker switching to [above mentioned] recovery mode on some devices.
- For this reason, Microsoft has simply disabled the fix from the July 2024 update with the release of the August 2024 security updates for Windows. Customers who want this protection can apply the workarounds described in KB5025885.
If you read the support article KB5025885, you will learn how to manually manage the revocation of the Windows Boot Manager for Secure Boot changes in connection with CVE-2023-24932 in several steps and how to secure the systems against the vulnerability. However, these steps can no longer be reversed.
Final thoughts
With regard to systems in corporate environments, Microsoft has put the ball in the administrators' court. The fix for the Bitlocker vulnerability CVE-2024-38058 has finally been disabled. Administrators must work through Microsoft's extensive instructions to secure systems with Bitlocker against the vulnerability.
In my opinion, however, the August 2024 update does not help in cases where private computers with Windows 10/11 were automatically encrypted during setup and the user does not know the Bitlocker recovery key and cannot find it. If the Windows system hangs when asking for the Bitlocker recovery key during boot and the key is missing, it is not possible to uninstall the update and install the new August 2024 update.
In my opinion, the only option here is to try to find the Bitlocker recovery key after all. I once wrote something about this in the article Question: Where does Bitlocker store the recovery key in Windows?
For example, I recently came across a case where a Windows Home system had been automatically encrypted and the key was now requested. However, the Bitlocker recovery key was not found in the current Microsoft account. The person in question then remembered that he had once set up a Microsoft account for the startup, but had removed it from Windows. Fortunately, he was still able to log in to the Microsoft account in question on another computer and found the recovery key there.
This case also shows how badly the whole thing is now hanging by a thread. A Microsoft account used during setup, which is later deleted by the user or locked by Microsoft, then kicks people out of the system. Without a Bitlocker recovery key, as far as I know so far, the only option is to reinstall the system if Windows requires such a key when booting. You can correct me if I have overlooked something.
Similar articles:
Microsoft Security Update Summary (July 9, 2024)
Microsoft Security Update Summary (August 13, 2024)
Patchday: Windows 10/Server Updates (August 13, 2024)
Patchday: Windows 11/Server 2022-Updates (August 13, 2024)
Windows Server 2012 / R2 and Windows 7 (August 13, 2024)
Windows 10/11 updates (e.g. KB5040442) trigger Bitlocker queries (July 2024)
Windows July 2024 updates break remote connections
Microsoft confirms Bitlocker queries through Windows July 2024 updates
Windows 10/11 Home Edition and the OEM Bitlocker pitfall
Question: Where does Bitlocker store the recovery key in Windows?
Advertising