Bitlocker Recovery Mode after UEFI Update, No Key

Lenovo Yoga 920-13ikb
bios 5NCN41WW
currently with Win11, likely upgraded from Win10 in the past
From approximately 2017-2018

Helping someone with their Laptop, it was working fine no problems, I went to the Windows Update, and it had Optional update of Lenovo Firmware, the UEFI update, I did that, and it said to restart. After restart, Bitlocker goes into recovery mode.

PC Owner never printed their Bitlocker Recovery Key. They have 2 Windows Users, I only went into 1 of the users, and it was a Local User, not a Microsoft Account User, so it appears that Bitlocker Recovery cannot be accessed from a MS Account. I never saw the other user, so it is possible that it is a MS Account with synced Bitlocker Recovery Key, so I asked the PC owner to log into their MS account from another device, but I followed directions from MS, and MS account explicitly said there was no Bitlocker synced device in their settings.

PC Owner likely never setup Bitlocker themselves, it likely came from Lenovo that way, if this is so, where does Lenovo originally provide the recovery key? They must provide it to the purchaser somewhere! It seems to me that in theory, if I perform a UEFI/BIOS version rollback, it will fit the Bitlocker checksum, or TPM key checksum or whatever it is called.

Lastly, of course no one will be shocked that the PC Owner has no backups of her files, and no cloud sync of her files.

What options are left? I will try anything, thank you everyone so much!

Unfortunately, if the user does not have that recovery key, you are done. There is no way around it. No, rolling back the Firmware will not help you.

As a side note: I'm a little bit surprised that a firmware update would be handled so poorly by Lenovo. On my system, the firmware update specifically warns me about BitLocker and it even performs the suspension of BitLocker for me so that there is no problem upon booting after the update. One difference, however, is that I always apply the updates manually. I don't know if there is an issue with updates that get delivered via Windows Update. If so, that's going to cause problems for a lot of people.

I'm so sorry, I wish that I had better news for you.

hsehestedt said:

Unfortunately, if the user does not have that recovery key, you are done. There is no way around it. No, rolling back the Firmware will not help you.

As a side note: I'm a little bit surprised that a firmware update would be handled so poorly by Lenovo. On my system, the firmware update specifically warns me about BitLocker and it even performs the suspension of BitLocker for me so that there is no problem upon booting after the update. One difference, however, is that I always apply the updates manually. I don't know if there is an issue with updates that get delivered via Windows Update. If so, that's going to cause problems for a lot of people.

I'm so sorry, I wish that I had better news for you.

Click to expand...

I have also never seen a Windows Update of any kind cause a Bitlocker Recovery. It is possible that the Windows update was not what caused this, because the PC Owner said earlier that day she experienced a BSOD, although it was likely not a Bitlocker BSOD. Perhaps the firmware update was unrelated to this issue, and it is being caused by another glitch? I performed almost nothing to this PC besides the Win updates, i installed nothing, uninstalled nothing, did almost no changes, and then this happened.

I disagree with your accessment that a UEFI update rollback could not solve this, because I have seen a similar approach work before. In the past, on a different pc, I had made a change to the EFI partition (not the UEFI firmware), and it caused the BitLocker recovery, but after I reverted the change, it resumed as normal. Do you know how to perform a rollback? On the Lenovo website for this model, it only offers 1 version of the UEFI, and that is the version I had updated to, so I have so far been unable to download the original version, which I would then need to learn how to flash the UEFI manually.

I agree with @hsehestedt that even if it is possible to rollback the bios, it will not solve the bitlocker issue. You cannot compare changes to a uefi partition to a bios update. partition=apples UEFI firmware=oranges

You might contact Lenovo support but since that laptop is long out of warranty, there is probably a fee for support.

IMO the only way you can recover this device is by installing another hard drive and doing a clean install of windows. There is no way to recover the files on the bitlocked drive.

It's possible I could be wrong, I'm simply repeating what I have been told in the past. In all honestly, if I were you, I would definitely try a rollback.

For instructions on how, that would be something to check with the OEM. I would hope it would be as easy as installing the old version on top of the new one.

Please do let us know if that works!

PS: This literally just occurred to me as I'm typing...

I suspect that maybe why some people who run into this are not helped when they rollback might be because they have secure boot enabled. If your system does not have secure boot turned on then maybe a rollback might work. This is just a hypothesis, but it gives me hope

There seems to be an acknowledged bug with one of the Windows updates which is activating Bitlocker even on Windows Home.
Microsoft are working on a fix but this doesn’t help those currently affected. Their fix seems to be for Pro & Enterprise users only. Afaik Home users need to contact the PC’s manufacturer for the key/instructions.

Microsoft are aware of it, their suggestion is as follows:
1. Run the following command from Administrator command prompt:
Manage-bde -protectors -disable %systemdrive% -rebootcount 2
2. Install the update KB5012170, if not already installed
3. Restart the device.
4. Restart the device again.
5. BitLocker should automatically be enabled after two boots. If you want to manually resume BitLocker to verify that it is enabled, use the following command:
Manage-bde -protectors -Enable %systemdrive%
Next steps: We are working on a resolution and will provide an update in an upcoming release.
If you cannot access command prompt then you may have to enter recovery mode by force restarting the PC several times>Troubleshoot options. If you still cannot access this then you’ll have to boot with the Windows installation media.

Bastet said:

Their fix seems to be for Pro & Enterprise users only. Afaik Home users need to contact the PC’s manufacturer for the key/instructions.

Click to expand...

I'm not clear why you made that distinction, as Microsoft doesn't seem to mention any difference.

BruceR said:

I'm not clear why you made that distinction, as Microsoft doesn't seem to mention any difference.

Click to expand...

I don't want to put words in anyone's mouth, but my guess is that the distinction is because Home is not supposed to come with BitLocker, therefore a BitLocker fix won't get applied to Home.

BruceR said:

I'm not clear why you made that distinction, as Microsoft doesn't seem to mention any difference.

Click to expand...

Because Home doesn’t have Bitlocker.

2Savage said:

PC Owner likely never setup Bitlocker themselves, it likely came from Lenovo that way, if this is so, where does Lenovo originally provide the recovery key? They must provide it to the purchaser somewhere! It seems to me that in theory, if I perform a UEFI/BIOS version rollback, it will fit the Bitlocker checksum, or TPM key checksum or whatever it is called.

Click to expand...

I've seen that happen when purchasing a computer from a store [not directly from the manufacturer] where a password was set by an employee when putting it up for display then that employee was not available to clear the password, only choice was a full factory reset.

2Savage said:

I have also never seen a Windows Update of any kind cause a Bitlocker Recovery. It is possible that the Windows update was not what caused this, because the PC Owner said earlier that day she experienced a BSOD, although it was likely not a Bitlocker BSOD. Perhaps the firmware update was unrelated to this issue, and it is being caused by another glitch? I performed almost nothing to this PC besides the Win updates, i installed nothing, uninstalled nothing, did almost no changes, and then this happened.

I disagree with your accessment that a UEFI update rollback could not solve this, because I have seen a similar approach work before. In the past, on a different pc, I had made a change to the EFI partition (not the UEFI firmware), and it caused the BitLocker recovery, but after I reverted the change, it resumed as normal. Do you know how to perform a rollback? On the Lenovo website for this model, it only offers 1 version of the UEFI, and that is the version I had updated to, so I have so far been unable to download the original version, which I would then need to learn how to flash the UEFI manually.

Click to expand...

Hello,

When you go to the lenovo download page for your client's PC an copy the download link for the firmware, you can lower the package number by one to get the previous version.
They keep them on the server.
For mine e.g. https://download.lenovo.com/pccbbs/mobiles/n25uj39w.exe
I change 39 to 38 to have the older version.
Ciao, Han

han jansen said:

you can lower the package number by one to get the previous version.

Click to expand...

This is not always true with all computers. In some cases you can downgrade a bios, unless that bios you're trying to replace involved security issues. At least I am speaking from a Dell standpoint. There will be some occasions when the BIOS downgrade will not be allowed due to BIOS dependency, meaning the current BIOS has changes that cannot be downgraded. In such cases Dell will not allow a bios downgrade. I'm not exactly sure why. I think it's because Dell has their own motherboards. Though they use other third party hardware, the bios belong to Dell and they control whether one can be downgraded or not. Whether it is the same in all branded systems, I can not say.