BOOK THIS SPACE FOR AD
ARTICLE ADUpdate 19-Aug-2024: Microsoft has now resolved this bug. See details below.
Five years ago, after a particularly embarrassing run of flawed Windows updates, Microsoft vowed to do better. Part of its cleanup program included the introduction of a "release health dashboard" that documents the status of known issues with every update.
Also: You can upgrade your old PC to Windows 11 - even if Microsoft says it's 'incompatible'. Here's how
That transparency is a good thing, to be sure, but sometimes those disclosures raise more questions than they answer. A case in point is the July 2024 security update, which the release health dashboard flagged as having a known issue affecting PCs running Windows 10 and Windows 11 and multiple versions of Windows Server. (See "Device might boot into BitLocker recovery with the July 2024 security update.")
On affected PCs and servers, Windows refuses to boot to the normal login screen, instead presenting a blue screen like the one shown here:
If you see this screen, something went wrong at startup and you need to prove your identity to recover your data.
As the Microsoft report dryly notes: "This screen does not commonly appear after a Windows update." The advisory does not provide a cause for the issue, but it offers one clue: "You are more likely to face this issue if you have the Device Encryption option enabled in Settings under Privacy & Security -> Device encryption."
Update 19-Aug-2024: Microsoft reports that this issue is now resolved.
This issue was resolved by Windows updates released August 13, 2024 (KB5041585), and later. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
If you install an update released August 13, 2024 (KB5041585) or later, you do not need to use a workaround for this issue. If you are using an update released before August 13, 2024, and have this issue, your device should proceed to start up normally from the BitLocker recovery screen once the recovery key has been entered.
Also: How to install Windows 11 the way you want (and sneak by Microsoft's restrictions)
After entering the recovery key, Windows starts up normally. If you can't find the recovery key, your data is lost for good.
That sounds bad, but the story is not nearly as alarming as media coverage has made it sound. I've been digging into this issue for the past week. Here's what I've found.
How widespread was this bug?
In typically frustrating fashion, Microsoft provided no details about how common this issue was or what triggered it. Obviously, it didn't affect every machine that received the July 2024 security update. (If that were the case, the update would have been pulled immediately and it would have been front-page news.) It didn't occur on any machine I've tested, and I didn't hear from any readers affected by it. When I searched on Microsoft's community forums, I didn't find any reports related to this bug.
Also: How to upgrade your 'incompatible' Windows 10 PC to Windows 11
On Reddit, I did find several network administrators reporting that this issue affected multiple machines in their organization. (See this thread and this one for examples.) It appears all the devices were HP or Lenovo laptops that were managed on corporate networks and received firmware updates as part of the July 2024 Patch Tuesday update release.
When I asked Microsoft for additional details on the scope of the issue, a company spokesperson said: "Microsoft has nothing more to share beyond what is available in the following resources," providing links to an overview of BitLocker technology (with the Device Encryption section highlighted) and a support article titled "BitLocker drive encryption in Windows 11 for OEMs".
Why did this happen?
BitLocker is an extremely effective security option that encrypts the contents of an entire drive so that no one can access its contents without your permission. BitLocker works in conjunction with a Trusted Platform Module (TPM) and the Secure Boot feature to securely save a fingerprint of your boot configuration.
When you see the recovery prompt, that usually means that something about the boot process doesn't look right to BitLocker. So, instead of proceeding to a normal login screen, it prompts you for the recovery key. This can happen for all sorts of reasons that might or might not be related to an outside attacker.
Also: The Windows 10 clock is ticking: 5 ways to save your old PC in 2025 (most are free)
In a separate section of the support article the Microsoft spokesperson pointed me to, there's a section titled "BitLocker recovery scenarios" that lists no fewer than 15 "examples of common events that cause a device to enter BitLocker recovery mode when starting Windows." The list includes some actions that are typical of what might happen when an unauthorized person is trying to access data on the device, such as making changes to the boot manager or the NTFS partitions on the disk, disabling the TPM, or moving the BitLocker-protected drive into a new computer.
But you can also trigger BitLocker recovery by upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, which is what I suspect happened here. Firmware upgrades are supposed to suspend BitLocker encryption while they're installed, but it appears that this didn't happen on the laptops in question.
What's the difference between BitLocker and Device Encryption?
Device Encryption is a feature that's standard on all modern PCs designed for Windows 11. It works with all Windows editions (including Home edition), encrypting the contents of the system drive. It's on by default but is only activated when you sign in with a free Microsoft account or an Entra ID account. In those cases, the recovery key is automatically saved in the account dashboard for your account.
Also: Microsoft is changing how it delivers Windows updates: 4 things you need to know
BitLocker Drive Encryption is a feature that's available for business customers, only on Pro, Enterprise, and Education editions of Windows. It allows you to encrypt the system volume as well as secondary drives and removable media, such as USB flash drives. This version of BitLocker includes a complete set of management tools.
Is your system drive encrypted?
The Device Encryption feature is controlled with a simple toggle switch in Windows Settings. On Windows 11, you can find this switch by going to Settings > Privacy & security > Device Encryption.
If this switch isn't available, then your system, for one reason or another, doesn't support encryption. One common reason is that the TPM is unavailable; you can find the details by opening the System Information utility (Msinfo32.exe) using an administrator's credentials. Look for a line labeled Device Encryption Support, at the bottom of the System Summary page.
Have you saved a backup copy of your recovery key?
As mentioned earlier, Windows automatically saves a copy of your recovery key to your Microsoft account. If you're ever prompted to enter that key, you can find it by opening a browser window (on a PC, Mac, or mobile device) and going to microsoft.com/recoverykey.
Sign in with the account you used for the device where you're seeing the recovery prompt. That will take you to a page like this one:
You can find your BitLocker recovery keys here.
There, you can search for your device name and confirm that the encryption key is accessible. The BitLocker recovery screen contains a Key ID; compare the group of eight characters at the beginning of that key with the Key ID column on the web page to confirm that you've found the right one. You can copy that recovery key to a text file, save the text file in a safe place in the cloud or on a USB flash drive, and even print the recovery key out and store it in a secure location where you can find it if needed.
If you'd rather use PowerShell to find your encryption key, open PowerShell as an administrator and use the following command:
(Get-BitLockerVolume -MountPoint C).KeyProtector
That process should give you all the information you need.
Should you turn encryption off?
If you're worried about the possibility that you'll be locked out of your PC by a BitLocker failure, you can turn device encryption off by going to its page in Settings and sliding the Device Encryption page to the Off position.
Also: The best Windows laptops you can buy: Expert tested and reviewed
However, that's an extreme solution to a problem that's unlikely to affect you. If you've got a backup copy of your recovery key, you're in no risk of losing data, and you're fully protected from having your digital life turned upside down by a thief who steals your laptop and accesses your data files.