Bitlocker Recovery after UEFI update, no Key

BrutalMoose

Well-Known Member
Lenovo Yoga 920-13ikb
bios 5NCN41WW
currently with Win11, likely upgraded from Win10 in the past
From approximately 2017-2018

“You need to enter your recovery key because Secure Boot policy has unexpectedly changed.”

Helping someone with their Laptop, it was working fine no problems, I went to the Windows Update, and it had Optional update of UEFI/BIOS firmware, I did that, and it said to restart. After restart, Bitlocker went into recovery mode.

PC Owner never printed their Bitlocker Recovery Key. They have 2 Windows Users, I only went into 1 of the users, and it was a Local User, not a Microsoft Account User, so it appears that Bitlocker Recovery cannot be accessed from a MS Account. I never saw the other user, so it is possible that it is a MS Account with synced Bitlocker Recovery Key, so I asked the PC owner to log into their MS account from another device, but I followed directions from MS, and MS account explicitly said there was no Bitlocker synced device in their settings.

PC Owner likely never setup Bitlocker themselves, it likely came already activated with Lenovo’s OEM version of Windows. While Lenovo did not invent Microsoft’s Bitlocker, they provide you with an OEM version of Windows that has it already activated. I have viewed the temporary Boot Menu in the UEFI, there is no Lenovo OneKey Recovery option. I have seen many computers with Bitlocker device encryption already activated the first time you boot into windows. If this is so, where does Lenovo originally provide the recovery key? They must provide it to the purchaser somewhere!

It seems to me that in theory, if I perform a UEFI/BIOS version rollback, it will fit the Bitlocker checksum, or TPM key checksum or whatever it is called. Is that true, will that work?

I would also expect there is a button to push somewhere to revert the UEFI back a version. If this obvious feature is not provided by Lenovo, then my next question is if I manually perform a UEFI rollback, does that step destroy the TPM Key? If it destroys the TPM key, then it will not fix the Bitlocker issue. If I need to download the previous UEFI version from their website, then does anyone know why Lenovo only provides 1 UEFI version on their website, listed below? Shouldn’t they provide the older version as well?

I have seen multiple situations on other computers where if I make a change to the EFI partition for example, then bitlocker recovery mode happens, then if i revert the change, bitlocker recovery mode goes away. That is what I am suggesting with the UEFI rollback. I am well aware of the difference between the UEFI motherboard settings and the EFI partition on the disk, no low hanging fruit to grab there.

Lastly, of course no one will be shocked that the PC Owner has no backups of her files, and no cloud sync of her files.

I read an article that is very similar to this issue:


On the Bitlocker recovery screen, to my surprise it actually says what caused this issue: “You need to enter your recovery key because Secure Boot policy has unexpectedly changed.

 
Last edited:

Neemobeer

Cloud Security Engineer
Staff member
In order for a Windows device to have Bitlocker the device must have Windows Pro or Ent licensing which is not typically the case for a home user. Secondly the user would have had to enabled Bitlocker. It typically does not come pre-enabled except in some cases where say a company has an agreement or paying for a service some manufacturers offer where they receive an image to pre-load from a customer, again not usually the case with a home user.

If you are able to install the exact firmware version it may allowed measured boot to pass; however, if there is a timwstamp or CRC value introduced when the TPM PCR values are calculated then rolling back the firmware will not work. The only option at that point would be to reinstall Windows.
 

BrutalMoose

Well-Known Member
In order for a Windows device to have Bitlocker the device must have Windows Pro or Ent licensing which is not typically the case for a home user. Secondly the user would have had to enabled Bitlocker. It typically does not come pre-enabled except in some cases where say a company has an agreement or paying for a service some manufacturers offer where they receive an image to pre-load from a customer, again not usually the case with a home user.

If you are able to install the exact firmware version it may allowed measured boot to pass; however, if there is a timwstamp or CRC value introduced when the TPM PCR values are calculated then rolling back the firmware will not work. The only option at that point would be to reinstall Windows.
Thank you Neemobeer. I have rewritten my original post with a lot of new info. This issue is very similar to that article above.

In reply to the firmware solution, that raises 2 questions. How do I find out what my old firmware version was? Also, on the Lenovo website I have linked you to (above), it only provides 1 firmware version, which I thought was odd and unusual. The only version available is the one I just installed. If they do not provide the old version, how do I get it? Also, if I reinstall firmware, how do you know that will not wipe the TPM key or Intel PTT key?
 
Last edited:

Neemobeer

Cloud Security Engineer
Staff member
There is no way to know which version you had. You might be able to get a copy by contact Lenovo, but there is no guarantee of that. Firmware and the TPM are unrelated in terms of data storage, so updates or rollbacks should not impact the TPM content.
 

BrutalMoose

Well-Known Member
As you can see in the link I sent you above, Lenovo only provides 1 version of the UEFI, and it is the same current version I just updated to.

If I wanted to reinstall the same version, or downgrade to an earlier UEFI version (if I found one), how would I create one with the .exe file they provide? I have already tried using the .exe file on another PC, and it detects that it is on the wrong PC, I also tried starting the .exe on Hiren's, but it looks for the EFI partition on the current USB disk, not on the SSD inside. Ideas?
 
Top