🛠️ Fix BitLocker Recovery Loop After BIOS or Secure Boot Changes

-
BitLocker Recovery Loop Guide

🛠️ BitLocker Recovery Loop – Enterprise Troubleshooting Guide

This guide explains how to troubleshoot repeated BitLocker recovery prompts after BIOS, TPM, Secure Boot or hardware changes in enterprise environments.

💡 Root cause: TPM PCR mismatch (especially PCR7 related to Secure Boot) after firmware or boot configuration changes.

🧠 Root Cause Explained (Important)

BitLocker uses TPM PCR measurements to verify boot integrity. When firmware, Secure Boot or boot configuration changes, the TPM measurements no longer match → BitLocker triggers recovery mode.

  • BIOS/UEFI update changes firmware measurements
  • Secure Boot keys or DB/DBX changes
  • TPM firmware update or reset
  • Boot order / UEFI configuration changes
  • Docking station affecting hardware hash

đŸŒČ Decision Tree

1. Does BitLocker ask for recovery every boot?
→ Yes: TPM integrity issue (PCR mismatch)

2. Did it start after BIOS/firmware update?
→ Yes: Suspend BitLocker → reboot → resume

3. Only happens when docked?
→ Yes: hardware measurement change

4. Persistent even after resume?
→ Recreate TPM protector

🔍 Step 1 – Verify BitLocker State

Check status 

Get-BitLockerVolume
manage-bde -protectors -get C:
Verify TPM, Recovery Password and Key Protector types before changes.

📊 Step 2 – Check Event Logs (Critical)


Event Viewer:
Applications and Services Logs →
Microsoft →
Windows →
BitLocker-API →
Management
Look for Event ID 24620 / 24636 → TPM or PCR validation failures.

⏸️ Step 3 – Suspend BitLocker (Safe state)

Suspend 

Suspend-BitLocker -MountPoint "C:" -RebootCount 2
Restart-Computer
Use this before any BIOS, Secure Boot or firmware change.

▶️ Step 4 – Resume BitLocker

Resume 

Resume-BitLocker -MountPoint "C:"

⚠️ Step 5 – TPM Reseal (Advanced)

Only use this if suspend/resume does not resolve the issue. Ensure recovery key is available.
Reset TPM protector 

manage-bde -protectors -disable C:
manage-bde -protectors -delete C: -type TPM
manage-bde -protectors -add C: -tpm
manage-bde -protectors -enable C:
Restart-Computer

🏱 Intune / Enterprise Notes

  • Use Endpoint Security → Disk Encryption policies
  • Recovery keys stored in Entra ID
  • Monitor recovery events via Intune reporting
  • Use remediation scripts for BIOS update workflows
💡 Best practice: Automate BitLocker suspend/resume during firmware updates via Intune or scripts.

đŸ–„️ Docking & Hardware Considerations

  • USB-C / Thunderbolt docks may change hardware measurements
  • Test boot with and without dock
  • Avoid changing hardware during TPM reseal process

📈 Best Practices

  • Always store recovery key in Entra ID / AD
  • Always suspend BitLocker before BIOS updates
  • Avoid unnecessary Secure Boot changes
  • Standardize firmware update process across devices

✅ Summary

ScenarioAction
Firmware updateSuspend → Update → Resume
Repeated recoveryCheck TPM + Event logs
Persistent issueRecreate TPM protector
Dock-related issueTest hardware consistency

Kommentarer

Skicka en kommentar

PopulÀra inlÀgg i den hÀr bloggen

🚀 Force Reinstallation of an Intune App

-
Bild
  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...
Read more »

đŸ””Troubleshooting Intune Device Enrollments: Understanding GUIDs, Registry Paths, and EnterpriseMgmt Tasks

-
Bild
This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: đŸ”č 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling đŸ”č 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...
Read more »

🚀 Windows Autopilot Self-Deploying Mode — Zero-Touch Setup That Feels Like Magic

-
Bild
Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...
Read more »