KB4535680 update is causing BitLocker problems in Windows 10
Some Windows 10 users who have installed the KB4535680 update from last month are experiencing problems with BitLocker.
The update was released on January 12 to fix issues with Secure Boot DBX, but some users are complaining that the patch is triggering BitLocker recovery. For people using BitLocker on just one computer, this may not be too much of an issue, but for administrators taking care of lots of systems it is rather more problematic.
- Microsoft is pushing KB4023057 yet again to improve Windows 10 Update
- Microsoft releases off-schedule KB5001028 update for Windows 10 to fix WPA3 flaw
- Microsoft encourages Windows users to install essential fixes for serious TCP/IP vulnerabilities
Although KB4535680 is now more than a month old, it is quite common for sysadmins to hold off installing updates for a little while, hence the appearance of issues slightly further down the line.
As noted by Günter Born, system administrator Dietmar Haimann is among those experiencing BitLocker issues after installing the KB4535680 update. He writes on Twitter:
Microsoft has listed a BitLocker problem as a known issue for the update, saying:
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible.
To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.
Important Changing from the default platform validation profile affects the security and manageability of your device. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased, depending on inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR7 omitted, will override the Allow Secure Boot for integrity validation Group Policy. This prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when the firmware is updated. If you set this policy to include PCR0, you must suspend BitLocker before you apply firmware updates.
We recommend not to configure this policy, but to let Windows select the PCR profile for the best combination of security and usability based on the available hardware on each device.
The company also warns:
Do not enable BitLocker protection without additionally restarting the device as it would result in BitLocker recovery.
Various workarounds are listed on the Microsoft support page for the KB4535680 update.