It turns out that this was most likely the result of a genuine Lenovo BIOS bug. This day, Lenovo published a BIOS update that contained the following in the change log:
[Problem fixes] - Fixed an issue where BitLocker Recovery key prompt after BIOS Update.
Microsoft developed a form of full disk encryption for the Windows operating system called BitLocker. In my experience, BitLocker is well-designed and, in fact, it’s one of the features that keeps me begrudgingly using Windows as my daily driver laptop operating system.
Last night, however, I encountered a disastrous situation with BitLocker that caused full data loss of the encrypted drive - BitLocker ruined my son’s laptop, requiring a reinstall of Windows from scratch.
Apparently Windows has been opportunistically enabling BitLocker on a lot of newer systems but leaving it in a “waiting for activation” state as described here: https://superuser.com/questions/1299600/is-a-volume-with-bitlocker-waiting-for-activation-encrypted-or-not
The problem with this is that it can leave the user in a situation where they are forced into BitLocker recovery for a recovery key that they never had the chance to save in the first place! In the case of my son’s computer, his account was configured as an “offline account” and he never signed in to a Microsoft account where the recovery key could’ve been automatically backed up. He used his system in this state for quite some time without any problems, as I expect that most users in this state do based on the apparent sparsity of internet posts similar to this one :-).
A Lenovo BIOS update for his system later made BitLocker think that the secure boot options had changed. I don’t know precisely what the change was, but it was probably related to
Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
as described in the BitLocker recovery link above. In any case, the system rebooted into BitLocker recovery asking for a recovery key that I simply did not possess. As described in the BitLocker recovery key FAQ:
Important: If your device is asking you for your BitLocker recovery key, there is no “back door,” there are no workarounds, and Microsoft support can’t provide you with the missing key or create a new one for you. You will need that 48-digit key to unlock your device.
I quickly lost hope of any recovery method other than reinstalling the operating system.
I was astonished that Microsoft would allow BitLocker to operate in such a precarious state. Like many other technical professionals, I help family members and friends who are not technically savvy. Here’s my succinct advice to avoid this same precarious situation if you are helping a nontechnical Windows user.
Using the methods described in the superuser.com
I referred to above, check if the
boot drive (almost certainly
C:\) is in a “BitLocker waiting for activation” state. If it is
in this state, take one of the following actions:
- if this particular user has a good reason to have BitLocker enabled on this particular system, make sure to back up the recovery key in some reliable method that satisfies BitLocker activation. Cases where this might be a good choice are: if the system will hold sensitive personal information; if it uses a solid state drive such as an SSD or NVMe drive that is resistant to systematic erasure prior to disposal; if the system is a laptop that will be carried around and is at greater risk of being lost or stolen. Most modern computers meet all of these criteria which is certainly why Microsoft has chosen to enable BitLocker by default.
- if this particular user has no good reason to have BitLocker enabled on this particular system, then be sure to TURN IT OFF EXPLICITLY! Cases where this might be a good choice are: if the user can’t be trusted to maintain a BitLocker recovery key backup; absolutely no personal data is ever entered into the system; if the system uses a traditional spinning hard drive that can be reliably erased before the hardware is disposed of. (Actually, I suspect BitLocker would not be automatically enabled on such a system, but it can’t hurt to check…)
This is my takeaway from this disaster, and hopefully it helps someone else avoid similar misery. If you don’t take one of the steps above, I think you are courting disaster and the risk of data loss is very high. The next time you help that nontechnical user again, it might be to install Windows from scratch!