Bitlocker Recovery Mode after UEFI Update, No Key


2Savage

New member
Local time
12:47 AM
Posts
29
OS
Windows 11
Lenovo Yoga 920-13ikb
bios 5NCN41WW
currently with Win11, likely upgraded from Win10 in the past
From approximately 2017-2018

Helping someone with their Laptop, it was working fine no problems, I went to the Windows Update, and it had Optional update of Lenovo Firmware, the UEFI update, I did that, and it said to restart. After restart, Bitlocker goes into recovery mode.

PC Owner never printed their Bitlocker Recovery Key. They have 2 Windows Users, I only went into 1 of the users, and it was a Local User, not a Microsoft Account User, so it appears that Bitlocker Recovery cannot be accessed from a MS Account. I never saw the other user, so it is possible that it is a MS Account with synced Bitlocker Recovery Key, so I asked the PC owner to log into their MS account from another device, but I followed directions from MS, and MS account explicitly said there was no Bitlocker synced device in their settings.

PC Owner likely never setup Bitlocker themselves, it likely came from Lenovo that way, if this is so, where does Lenovo originally provide the recovery key? They must provide it to the purchaser somewhere! It seems to me that in theory, if I perform a UEFI/BIOS version rollback, it will fit the Bitlocker checksum, or TPM key checksum or whatever it is called.

Lastly, of course no one will be shocked that the PC Owner has no backups of her files, and no cloud sync of her files.

What options are left? I will try anything, thank you everyone so much!
 
Last edited:

My Computer

System One

  • OS
    Windows 11
Unfortunately, if the user does not have that recovery key, you are done. There is no way around it. No, rolling back the Firmware will not help you.

As a side note: I'm a little bit surprised that a firmware update would be handled so poorly by Lenovo. On my system, the firmware update specifically warns me about BitLocker and it even performs the suspension of BitLocker for me so that there is no problem upon booting after the update. One difference, however, is that I always apply the updates manually. I don't know if there is an issue with updates that get delivered via Windows Update. If so, that's going to cause problems for a lot of people.

I'm so sorry, I wish that I had better news for you.
 

My Computers

System One System Two

  • OS
    Win11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-11700K
    Motherboard
    ASUS Prime Z590-A
    Memory
    128GB Crucial Ballistix 3200MHz DRAM
    Graphics Card(s)
    No GPU - CPU graphics only (for now)
    Sound Card
    Realtek (on motherboard)
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe Gen 4 x 4 SSD
    1 x 2TB NVMe Gen 3 x 4 SSD
    2 x 512GB 2.5" SSDs
    2 x 8TB HD
    PSU
    Corsair HX850i
    Case
    Corsair iCue 5000X RGB
    Cooling
    Noctua NH-D15 chromax.black cooler + 10 case fans
    Keyboard
    CODE backlit mechanical keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Additional options installed:
    WiFi 6E PCIe adapter
    ASUS ThunderboltEX 4 PCIe adapter
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Unfortunately, if the user does not have that recovery key, you are done. There is no way around it. No, rolling back the Firmware will not help you.

As a side note: I'm a little bit surprised that a firmware update would be handled so poorly by Lenovo. On my system, the firmware update specifically warns me about BitLocker and it even performs the suspension of BitLocker for me so that there is no problem upon booting after the update. One difference, however, is that I always apply the updates manually. I don't know if there is an issue with updates that get delivered via Windows Update. If so, that's going to cause problems for a lot of people.

I'm so sorry, I wish that I had better news for you.
I have also never seen a Windows Update of any kind cause a Bitlocker Recovery. It is possible that the Windows update was not what caused this, because the PC Owner said earlier that day she experienced a BSOD, although it was likely not a Bitlocker BSOD. Perhaps the firmware update was unrelated to this issue, and it is being caused by another glitch? I performed almost nothing to this PC besides the Win updates, i installed nothing, uninstalled nothing, did almost no changes, and then this happened.

I disagree with your accessment that a UEFI update rollback could not solve this, because I have seen a similar approach work before. In the past, on a different pc, I had made a change to the EFI partition (not the UEFI firmware), and it caused the BitLocker recovery, but after I reverted the change, it resumed as normal. Do you know how to perform a rollback? On the Lenovo website for this model, it only offers 1 version of the UEFI, and that is the version I had updated to, so I have so far been unable to download the original version, which I would then need to learn how to flash the UEFI manually.
 

My Computer

System One

  • OS
    Windows 11
I agree with @hsehestedt that even if it is possible to rollback the bios, it will not solve the bitlocker issue. You cannot compare changes to a uefi partition to a bios update. partition=apples UEFI firmware=oranges

You might contact Lenovo support but since that laptop is long out of warranty, there is probably a fee for support.

IMO the only way you can recover this device is by installing another hard drive and doing a clean install of windows. There is no way to recover the files on the bitlocked drive.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
It's possible I could be wrong, I'm simply repeating what I have been told in the past. In all honestly, if I were you, I would definitely try a rollback.

For instructions on how, that would be something to check with the OEM. I would hope it would be as easy as installing the old version on top of the new one.

Please do let us know if that works!

PS: This literally just occurred to me as I'm typing...

I suspect that maybe why some people who run into this are not helped when they rollback might be because they have secure boot enabled. If your system does not have secure boot turned on then maybe a rollback might work. This is just a hypothesis, but it gives me hope :-)
 

My Computers

System One System Two

  • OS
    Win11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-11700K
    Motherboard
    ASUS Prime Z590-A
    Memory
    128GB Crucial Ballistix 3200MHz DRAM
    Graphics Card(s)
    No GPU - CPU graphics only (for now)
    Sound Card
    Realtek (on motherboard)
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe Gen 4 x 4 SSD
    1 x 2TB NVMe Gen 3 x 4 SSD
    2 x 512GB 2.5" SSDs
    2 x 8TB HD
    PSU
    Corsair HX850i
    Case
    Corsair iCue 5000X RGB
    Cooling
    Noctua NH-D15 chromax.black cooler + 10 case fans
    Keyboard
    CODE backlit mechanical keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Additional options installed:
    WiFi 6E PCIe adapter
    ASUS ThunderboltEX 4 PCIe adapter
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
There seems to be an acknowledged bug with one of the Windows updates which is activating Bitlocker even on Windows Home.
Microsoft are working on a fix but this doesn’t help those currently affected. Their fix seems to be for Pro & Enterprise users only. Afaik Home users need to contact the PC’s manufacturer for the key/instructions.

Microsoft are aware of it, their suggestion is as follows:
1. Run the following command from Administrator command prompt:
Manage-bde -protectors -disable %systemdrive% -rebootcount 2
2. Install the update KB5012170, if not already installed
3. Restart the device.
4. Restart the device again.
5. BitLocker should automatically be enabled after two boots. If you want to manually resume BitLocker to verify that it is enabled, use the following command:
Manage-bde -protectors -Enable %systemdrive%
Next steps: We are working on a resolution and will provide an update in an upcoming release.
If you cannot access command prompt then you may have to enter recovery mode by force restarting the PC several times>Troubleshoot options. If you still cannot access this then you’ll have to boot with the Windows installation media.
 

My Computer

System One

  • OS
    Windows 11 Pro 64bit
    Computer type
    Laptop
    Manufacturer/Model
    PC Specialist Optimus VII V17-960 Gaming Laptop.
    CPU
    6th Gen Intel Core i7-6700HQ Quad Core processor.
    Memory
    16GB HyperX IMPACT 1600MHz SODIMM DDR3 (2 x 8GB)
    Graphics Card(s)
    NVIDIA® GeForce® GTX 960M - 2.0GB DDR5 Video RAM - DirectX® 12
    Sound Card
    Intel 2 Channel High Def. Audio + SoundBlaster™ Cinema 2 & Realtek
    Monitor(s) Displays
    Optimus Series: 17.3" Matte Full HD IPS LED Widescreen (1920x1080)
    Screen Resolution
    Full HD IPS display (1920 x 1080).
    Hard Drives
    4TB SSD (internal).
    1x 1TB & 1x 5TB external HDDs.
    Cooling
    STANDARD THERMAL PASTE FOR SUFFICIENT COOLING
    Keyboard
    Logitech K800 wireless keyboard
    Mouse
    Logitech M705 wireless mouse
    Internet Speed
    Upto 100Mbps
    Browser
    Edge.
    Antivirus
    Windows Defender & MalwareBytes pro.
Their fix seems to be for Pro & Enterprise users only. Afaik Home users need to contact the PC’s manufacturer for the key/instructions.
I'm not clear why you made that distinction, as Microsoft doesn't seem to mention any difference.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
I'm not clear why you made that distinction, as Microsoft doesn't seem to mention any difference.
I don't want to put words in anyone's mouth, but my guess is that the distinction is because Home is not supposed to come with BitLocker, therefore a BitLocker fix won't get applied to Home.
 

My Computers

System One System Two

  • OS
    Win11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-11700K
    Motherboard
    ASUS Prime Z590-A
    Memory
    128GB Crucial Ballistix 3200MHz DRAM
    Graphics Card(s)
    No GPU - CPU graphics only (for now)
    Sound Card
    Realtek (on motherboard)
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe Gen 4 x 4 SSD
    1 x 2TB NVMe Gen 3 x 4 SSD
    2 x 512GB 2.5" SSDs
    2 x 8TB HD
    PSU
    Corsair HX850i
    Case
    Corsair iCue 5000X RGB
    Cooling
    Noctua NH-D15 chromax.black cooler + 10 case fans
    Keyboard
    CODE backlit mechanical keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Additional options installed:
    WiFi 6E PCIe adapter
    ASUS ThunderboltEX 4 PCIe adapter
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
I'm not clear why you made that distinction, as Microsoft doesn't seem to mention any difference.
Because Home doesn’t have Bitlocker.
 

My Computer

System One

  • OS
    Windows 11 Pro 64bit
    Computer type
    Laptop
    Manufacturer/Model
    PC Specialist Optimus VII V17-960 Gaming Laptop.
    CPU
    6th Gen Intel Core i7-6700HQ Quad Core processor.
    Memory
    16GB HyperX IMPACT 1600MHz SODIMM DDR3 (2 x 8GB)
    Graphics Card(s)
    NVIDIA® GeForce® GTX 960M - 2.0GB DDR5 Video RAM - DirectX® 12
    Sound Card
    Intel 2 Channel High Def. Audio + SoundBlaster™ Cinema 2 & Realtek
    Monitor(s) Displays
    Optimus Series: 17.3" Matte Full HD IPS LED Widescreen (1920x1080)
    Screen Resolution
    Full HD IPS display (1920 x 1080).
    Hard Drives
    4TB SSD (internal).
    1x 1TB & 1x 5TB external HDDs.
    Cooling
    STANDARD THERMAL PASTE FOR SUFFICIENT COOLING
    Keyboard
    Logitech K800 wireless keyboard
    Mouse
    Logitech M705 wireless mouse
    Internet Speed
    Upto 100Mbps
    Browser
    Edge.
    Antivirus
    Windows Defender & MalwareBytes pro.
PC Owner likely never setup Bitlocker themselves, it likely came from Lenovo that way, if this is so, where does Lenovo originally provide the recovery key? They must provide it to the purchaser somewhere! It seems to me that in theory, if I perform a UEFI/BIOS version rollback, it will fit the Bitlocker checksum, or TPM key checksum or whatever it is called.
I've seen that happen when purchasing a computer from a store [not directly from the manufacturer] where a password was set by an employee when putting it up for display then that employee was not available to clear the password, only choice was a full factory reset.
 

My Computers

System One System Two

  • OS
    Win11 Pro RTM
    Computer type
    Laptop
    Manufacturer/Model
    Dell Vostro 3400
    CPU
    Intel Core i5 11th Gen. 2.40GHz
    Memory
    12GB
    Hard Drives
    256GB SSD NVMe
  • Operating System
    Windows 11 Pro RTM x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Vostro 5890
    CPU
    Intel Core i5 10th Gen. 2.90GHz
    Memory
    16GB
    Graphics card(s)
    Onboard, no VGA, using a DisplayPort-to-VGA adapter
    Monitor(s) Displays
    24" Dell
    Hard Drives
    512GB SSD NVMe, 2TB WDC HDD
    Browser
    Firefox, Edge
    Antivirus
    Windows Defender/Microsoft Security
I have also never seen a Windows Update of any kind cause a Bitlocker Recovery. It is possible that the Windows update was not what caused this, because the PC Owner said earlier that day she experienced a BSOD, although it was likely not a Bitlocker BSOD. Perhaps the firmware update was unrelated to this issue, and it is being caused by another glitch? I performed almost nothing to this PC besides the Win updates, i installed nothing, uninstalled nothing, did almost no changes, and then this happened.

I disagree with your accessment that a UEFI update rollback could not solve this, because I have seen a similar approach work before. In the past, on a different pc, I had made a change to the EFI partition (not the UEFI firmware), and it caused the BitLocker recovery, but after I reverted the change, it resumed as normal. Do you know how to perform a rollback? On the Lenovo website for this model, it only offers 1 version of the UEFI, and that is the version I had updated to, so I have so far been unable to download the original version, which I would then need to learn how to flash the UEFI manually.
Hello,

When you go to the lenovo download page for your client's PC an copy the download link for the firmware, you can lower the package number by one to get the previous version.
They keep them on the server.
For mine e.g. https://download.lenovo.com/pccbbs/mobiles/n25uj39w.exe
I change 39 to 38 to have the older version.
Ciao, Han
 

My Computers

System One System Two

  • OS
    WIN 11
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Thinpad X1 Yoga 3gen
    CPU
    i7-8550U
    Memory
    16 GB lpddr3
    Screen Resolution
    2560x1440
    Hard Drives
    NVME SSD 2TB Samsung PM981
    Mouse
    Logitech M590
    Internet Speed
    350 Mbps down and up from 500 advertised
    Browser
    Firefox
    Antivirus
    Windows Security, Malwarebytes
    Other Info
    Acronis TrueImage 2019
  • Operating System
    Win 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo Tiny M920x
    CPU
    i7-8700T
    Memory
    32 GB DDR4
    Sound Card
    MOTU M4
    Monitor(s) Displays
    DELL P2418D
    Screen Resolution
    2560 x 1440
    Hard Drives
    NVME SSD 2TB Samsung PM981a
    NVME SSD 1TB Samsung PM981a
    SSD Sandisk 1T Sata
    Mouse
    Logitech M590
    Browser
    Firefox
    Antivirus
    Windows Security, Malwarebytes
    Other Info
    Acronis TrueImage 2019
you can lower the package number by one to get the previous version.
This is not always true with all computers. In some cases you can downgrade a bios, unless that bios you're trying to replace involved security issues. At least I am speaking from a Dell standpoint. There will be some occasions when the BIOS downgrade will not be allowed due to BIOS dependency, meaning the current BIOS has changes that cannot be downgraded. In such cases Dell will not allow a bios downgrade. I'm not exactly sure why. I think it's because Dell has their own motherboards. Though they use other third party hardware, the bios belong to Dell and they control whether one can be downgraded or not. Whether it is the same in all branded systems, I can not say.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

Latest Support Threads

Back
Top Bottom