none
You need to enter your recovery key because Secure Boot policy has unexpectedly changed. RRS feed

  • Question

  • We have had 2 cases this week where 2 Dell Vostro laptops with Windows 10 installed, BitLocker enabled and recovery key printed and matched to the machine ID, but after getting the message that the key was needed because Secure Boot policy has unexpectedly changed, the CORRECT recovery did not work.

    We took the hard drives out and tried unlocking with the key again from another machine but it made no difference. We tried several combinations of changes to the BIOS settings and secure boot options, but still no way to unlock the drive as normal.

    I am posting here to see if anyone can shed any light on the situation, or has this happened elsewhere. Im not looking for a solution in our case as we have had to reinstall Windows on these 2 machines. But if we can get a root cause from it then that would be great.

    Thursday, October 18, 2018 12:06 PM

All replies

  • Working with bitlocker since "day 1" (late 2006, Vista) - never happened here.

    Are you sure you entered a 48-digit number?

    Thursday, October 18, 2018 12:21 PM
  • >>You need to enter your recovery key because Secure Boot policy has unexpectedly changed

    This is by design and more secure for everyone's Windows. Once BitLocker detect your boot environment changes, it will ask the recovery information to double confirm your Windows security.

    Here is the Microsoft official documents, it said that:

    Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.

    What makes me confused is you said that “the CORRECT recovery did not work”

    Recovery is the final method to unlock BitLocker, it is a 48 bit digits only, please check carefully.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 19, 2018 1:59 AM
    Moderator
  • I too have had two Dell Vostro laptops with Windows 10 in the last week do this, users reported that automatic BIOS upgrades happened and now each laptop says "secure boot policy unexpectedly changed" and asks for the Bitlocker Recovery Key however in our case we didn't even know Bitlocker had been enabled on these laptops, (and it shouldn't have been) so therefore we don't even have the key..

    I too have tried all sorts of different BIOS changes to work around it but to no avail, I was also hoping to downgrade the BIOS to a previous version to see if that will help but I just keep running into "bios update blocked due to unsupported downgrade" (and yes I have allowed a downgrade by ticking the box in the BIOS).

    Interestingly the current version of the BIOS installed on the laptops is saying it's 2.6.0 whereas if I go on the Dell support site the most recent BIOS version available for download is only 2.3.0

    Both of my users are saying they have important docs on these machines that need recovering.. not looking good

    Saturday, October 20, 2018 10:05 AM