Windows 11 update issue on Lenovo P3 Tiny workstation Bitlocker triggered

Hello Abraham Ramirez,

What you are experiencing is a known behavior where certain Windows 11 cumulative updates, particularly the 24H2 and 25H2 servicing builds, can trigger BitLocker recovery unexpectedly on reboot. Microsoft has acknowledged that updates involving changes to boot manager, Secure Boot policies, or TPM firmware validation may cause BitLocker to interpret the system state as altered, even though no intentional hardware or firmware changes were made.

On Lenovo ThinkStation devices, this is compounded by how the BIOS and firmware interact with Secure Boot and TPM measurements. When the update modifies bootloader components or updates system files in the EFI partition, BitLocker’s platform validation profile can fail, leading to a recovery key prompt. This is not a misconfiguration on your part but rather a side effect of the update process.

To mitigate this, ensure that the recovery key is always escrowed either in Azure AD, Active Directory, or the user’s Microsoft account. For prevention, Microsoft recommends temporarily suspending BitLocker before applying cumulative updates on affected devices. This can be done with:

powershell

Suspend-BitLocker -MountPoint "C:" -RebootCount 1

This command suspends protection for one reboot cycle, allowing the update to complete without triggering recovery. After the system restarts and the update is finalized, BitLocker protection automatically resumes. Lenovo also advises checking BIOS settings to confirm Secure Boot remains enabled and TPM is not reset during updates.

At this point, there is no permanent fix beyond suspending BitLocker before updates, as Microsoft is still investigating the root cause and has documented it as a known issue. If this is happening across multiple devices in your environment, I recommend incorporating BitLocker suspension into your update deployment process until Microsoft releases a servicing update that resolves the behavior.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

Domic Vo.

The issue you are experiencing with BitLocker being unexpectedly triggered after a Windows 11 update on your Lenovo ThinkStation P3 Tiny workstation may be related to changes in the system's Secure Boot configuration or TPM settings that can occur during the update process. This behavior can happen even if no intentional changes were made prior to the update.

To address this issue, you can take the following steps:

1. Check Event Viewer: Look for BitLocker events in the Event Viewer under Application and Services Logs > Microsoft > Windows > BitLocker-API > Management. This can provide insights into why BitLocker was triggered.
2. Firmware Update: Ensure that your firmware is up to date, as firmware updates can sometimes resolve compatibility issues that affect BitLocker.
3. PCR Values: If your system uses PCR [7] for Secure Boot validation, verify that the PCR values are consistent across reboots. You can use the manage-bde -protectors -get %systemdrive% command to check if PCR [7] is being utilized correctly.
4. Review Group Policies: If your device is managed by Group Policies, ensure that there are no policies that might enforce Secure Boot or BitLocker settings that could lead to unexpected recovery prompts.
5. Recovery Key Backup: Always ensure that your BitLocker recovery key is backed up in a secure location, such as your Microsoft account, to facilitate recovery in case of future issues.

If the problem persists, consider reaching out to Microsoft support for further assistance specific to Windows 11 updates and BitLocker behavior.

References:

• BitLocker recovery: known issues
• BitLocker and TPM: other known issues