Something like a personal webpage

Bitlocker Disaster

[UPDATE: 2022-10-06]

It turns out that this was most likely the result of a genuine Lenovo BIOS bug. This day, Lenovo published a BIOS update that contained the following in the change log:

[Problem fixes]
 - Fixed an issue where BitLocker Recovery key prompt after BIOS Update.

[Original article]

Microsoft developed a form of full disk encryption for the Windows operating system called BitLocker. In my experience, BitLocker is well-designed and, in fact, it’s one of the features that keeps me begrudgingly using Windows as my daily driver laptop operating system.

Last night, however, I encountered a disastrous situation with BitLocker that caused full data loss of the encrypted drive - BitLocker ruined my son’s laptop, requiring a reinstall of Windows from scratch.

Apparently Windows has been opportunistically enabling BitLocker on a lot of newer systems but leaving it in a “waiting for activation” state as described here:

The problem with this is that it can leave the user in a situation where they are forced into BitLocker recovery for a recovery key that they never had the chance to save in the first place! In the case of my son’s computer, his account was configured as an “offline account” and he never signed in to a Microsoft account where the recovery key could’ve been automatically backed up. He used his system in this state for quite some time without any problems, as I expect that most users in this state do based on the apparent sparsity of internet posts similar to this one :-).

A Lenovo BIOS update for his system later made BitLocker think that the secure boot options had changed. I don’t know precisely what the change was, but it was probably related to

Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.

as described in the BitLocker recovery link above. In any case, the system rebooted into BitLocker recovery asking for a recovery key that I simply did not possess. As described in the BitLocker recovery key FAQ:

Important: If your device is asking you for your BitLocker recovery key, there is no “back door,” there are no workarounds, and Microsoft support can’t provide you with the missing key or create a new one for you. You will need that 48-digit key to unlock your device.

I quickly lost hope of any recovery method other than reinstalling the operating system.

I was astonished that Microsoft would allow BitLocker to operate in such a precarious state. Like many other technical professionals, I help family members and friends who are not technically savvy. Here’s my succinct advice to avoid this same precarious situation if you are helping a nontechnical Windows user.

Using the methods described in the post I referred to above, check if the boot drive (almost certainly C:\) is in a “BitLocker waiting for activation” state. If it is in this state, take one of the following actions:

This is my takeaway from this disaster, and hopefully it helps someone else avoid similar misery. If you don’t take one of the steps above, I think you are courting disaster and the risk of data loss is very high. The next time you help that nontechnical user again, it might be to install Windows from scratch!