Five years ago, after a particularly embarrassing series of buggy Windows updates, Microsoft vowed to do better. Part of the cleanup program was the introduction of a “Release Health Dashboard” that documents the status of known issues with each update.
Plus, you can upgrade your old PC to Windows 11 – even if Microsoft says it’s “incompatible.” Here’s how
This transparency is certainly a good thing, but sometimes these disclosures raise more questions than they answer. A typical example is the Release Health Dashboard, which flagged the July 2024 Security Update as a known issue affecting PCs running Windows 10 and Windows 11 and several versions of Windows Server, see: Device may boot into BitLocker recovery with July 2024 Security Update.
On affected PCs and servers, Windows refuses to launch the normal login screen and instead displays a blue screen like the one shown here:
If you see this screen, an error occurred during startup and you must verify your identity to recover your data.
Screenshot from Microsoft Support
As the Microsoft report dryly notes, “This screen typically doesn’t appear after a Windows update.” The warning doesn’t specify a cause for the problem, but offers a hint: “This issue is more likely to occur if you have the Device Encryption option enabled in Settings under Privacy and security -> Device encryption.”
Also: How to install Windows 11 the way you want (and bypass Microsoft’s restrictions)
After entering the recovery key, Windows will start normally. If you cannot find the recovery key, your data will be lost forever.
That sounds bad, but the story is not nearly as alarming as the media coverage makes it out to be. I’ve been looking into this issue in depth over the past week. Here’s what I’ve found out.
How widespread is this error?
In typically frustrating fashion, Microsoft didn’t provide any details on how common this issue is or what triggers it. It obviously doesn’t affect all machines that received the July 2024 security update. (If it did, the update would have been pulled immediately and made headlines.) It hasn’t occurred on any machines I’ve tested, and I haven’t heard from any affected readers. When I searched Microsoft’s community forums, I found no reports of this bug.
On Reddit, I found several network administrators reporting that this issue affected multiple machines in their organization. (See this thread and this one for examples.) It appears that all of the devices were HP or Lenovo laptops managed on corporate networks that received firmware updates as part of the July 2024 Patch Tuesday update.
When I asked Microsoft for more details on the scope of the issue, a company spokesperson said, “Microsoft has nothing further to share beyond the information available in the following resources,” and provided links to an overview of BitLocker technology (with the “Device Encryption” section highlighted) and a support article titled “BitLocker Drive Encryption in Windows 11 for OEMs.”
Why does this happen?
BitLocker is a highly effective security option that encrypts the contents of an entire drive so that no one can access the contents without your permission. BitLocker works in conjunction with a Trusted Platform Module (TPM) and the Secure Boot feature to securely store a fingerprint of your boot configuration.
When you see the recovery prompt, it usually means that BitLocker is not seeing something right during the boot process, so instead of getting to a normal login screen, it asks you to enter the recovery key. This can happen for all sorts of reasons that may or may not be related to an external attacker.
Also: The Windows 10 clock is ticking: 5 ways to save your old PC in 2025 (most are free)
In a separate section of the support article that the Microsoft spokesperson pointed me to, there is a section titled “BitLocker recovery scenarios” that lists no less than 15 “examples of common events that cause a device to enter BitLocker recovery mode when Windows starts.” The list includes some actions that are typical of what can happen if an unauthorized person tries to access data on the device, such as making changes to the boot manager or NTFS partitions on the hard drive, disabling the TPM, or moving the BitLocker-protected drive to a new computer.
But you can also trigger BitLocker recovery by updating critical components on early boot, such as a BIOS or UEFI firmware upgrade, which is what presumably happened here. Firmware upgrades are supposed to suspend BitLocker encryption during their installation, but it seems that this is not happening on the laptops in question.
What is the difference between BitLocker and device encryption?
Device encryption is a feature that comes standard on all modern PCs designed for Windows 11. It works with all editions of Windows (including Home edition) and encrypts the contents of the system drive. It is enabled by default, but is only activated when you sign in with a free Microsoft account or an Entra ID account. In these cases, the recovery key is automatically saved in the account dashboard for your account.
Also: Microsoft changes how Windows updates are delivered: 4 things you need to know
BitLocker Drive Encryption is a feature available to business users only in the Pro, Enterprise, and Education editions of Windows. It lets you encrypt the system volume as well as secondary drives and removable storage devices such as USB flash drives. This version of BitLocker includes a full set of management tools.
Is your system drive encrypted?
The device encryption feature is controlled with a simple toggle switch in Windows Settings. In Windows 11, you can find this switch under Settings > Privacy and security > Device encryption.
If this switch is unavailable, your system does not support encryption for some reason. A common reason is that the TPM is unavailable. You can find the details by opening the System Information utility (Msinfo32.exe) with administrator credentials. At the bottom of the System Summary page, look for a line labeled “Device Encryption Support.”
Have you saved a backup of your recovery key?
As mentioned, Windows automatically stores a copy of your recovery key in your Microsoft account. If you’re ever asked to enter that key, you can find it by opening a browser window (on a PC, Mac, or mobile device) and going to microsoft.com/recoverykey.
Sign in with the account you used for the device that shows the restore prompt. You will then be taken to a page like this:
You can find your BitLocker recovery keys here.
Screenshot by Ed Bott/ZDNET
There you can search for your device name and confirm that the encryption key is accessible. You can also copy this key into a text file, print it and keep it safe.
If you prefer to find your encryption key using PowerShell, open PowerShell as an administrator and use the following command:
(Get-BitLockerVolume -MountPoint C).KeyProtector
This process should give you all the information you need.
Should you disable encryption?
If you’re worried that you might get locked out of your PC due to a BitLocker error, you can disable device encryption by going to the Settings page and sliding the Device Encryption switch to the Off position.
Also: The best Windows laptops you can buy: Tested and rated by experts
However, this is an extreme solution to a problem that probably won’t affect you. If you have a backup of your recovery key, you’re at no risk of data loss and you’re completely protected from a thief turning your digital life upside down by stealing your laptop and accessing your data files.
