Windows 10: Important Secure Boot/Bitlocker Bug-Fix

[German]Today a short note for Windows 10 users who use Bitlocker with Secure Boot. And Microsoft has released an important Servicing Stack Update (SSU) for all supported Windows 10 versions, which is supposed to solve a Bitlocker problem in connection with Secure Boot.

Preliminary note: Users with Windows 10 Home are not affected by the following instructions.

Secure Boot affects Bitlocker

UEFI and Secure Boot are always good for trouble. For Microsoft's Surface devices, for example, the problem is known that Bitlocker goes into recovery mode and requires a recovery key when an update to the UEFI or TPM firmware is installed.

In general, however, there is a bug in the secure boot of UEFI systems that causes an activated bitlocker to be forced into recovery mode at system startup. Microsoft now tackles this problem with a Servicing Stack Update (SSU).Generell gibt es aber wohl im Secure Boot von UEFI-Systemen einen Bug, der dazu führt, dass ein aktiviertes Bitlocker beim Systemstart in den Recovery-Mode gezwungen wird. Genau dieses Problem packt Microsoft nun mit einem Servicing Stack Update (SSU) an.

Update KB4509096 for Windows 10 V1903

On July 9, 2019, Microsoft released the Servicing Stack Update (SSU) KB4509096 for Windows 10 Version 1903 as part of the regular patchday. As usual, Microsoft promises quality improvements in the Servicing Stack so that Windows updates can be installed more easily afterwards. This time, however, the SSU KB4509096 contains important information. Microsoft points out an important fix in the Key-Changes:

Addresses an issue with a Secure Boot feature update that may cause BitLocker to go into recovery mode because of a race condition.

This update addresses an issue related to a secure boot feature update. A race condition occurs when starting a system with Secure Boot enabled. I interpret it to mean that it can cause the Bitlocker module to become active before the Secure Boot checks are complete. As a result, Bitlocker is forced into recovery mode, in which a recovery key is queried.

The update is automatically distributed via Windows Update, but is also available via Microsoft Update Catalog. A restart is not required after installing the SSU and there are no installation requirements.

Updates for Windows 10 V1507 to V1809

If you browse the list of Servicing Stack updates under ADV990001 and call up the corresponding KB articles, they all contain the reference to the Bitlocker fix. Here is the list of relevant updates

The updates are provided via Windows Update and may be downloaded from Microsoft Update Catalog.

Microsoft and the SSU Recommendation

Microsoft strongly recommends that you install the latest Service Stack Update (SSU) on Windows 10 V1903 before installing the latest Cumulative Update (LCU). By installing Service Stack Updates (SSU), users ensure, according to Microsoft, that they have a robust and reliable service stack so that their devices can receive and install Microsoft security fixes.

You can find some information where a Servicing Stack Update is running around (namely in the Windows PE phase when restarting during the Windows Update installation) in this forum post.

Microsoft actually recommends this for all updates and writes in its KB articles that the required SSUs are automatically taken into account when installing via Windows Update. But Redmond doesn't get it right with Windows 10 – I remember my blog post Windows 10: SSU issue addressed in SCCM UserVoice. Administrators who manage updates using software tools such as WSUS or SCCM should ensure that the KB4509096 update is installed in any case.

At this point a little hint (thanks to Jan Schüssler from heise for the hint). The SSU KB4509096 does not appear in the list of installed updates in Windows Update (i.e. the update process, see picture above). If you go to "Uninstall Updates" in the classic Control Panel, the SSU is listed.

Article series: 
Windows 10: Important Secure Boot/Bitlocker Bug-Fix
Windows 10: Bitlocker encrypts automatically

Similar articles
BitLocker management in enterprise environments
Dell: New BIOS is causing Bitlocker issues
Bitlocker on SSDs: Microsoft Security Advisory Notification (Nov. 6, 2018)
SSD vulnerability breaks (Bitlocker) encryption
Windows 10 V1803: Fix for Bitlocker bug in Nov. 2018?

 

This entry was posted in issue, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *