Anyone else experiencing Bitlocker recovery key request after updates applied today, possible mainly KB3172729 RRS feed

  • Question

  • Our domain laptops are Windows 8.1 x64 and all have Bitlocker enabled with the recovery keys stored in active directory.

    Overnight we have had a series of updates and we are now finding some machines are asking for the bitlocker recovery key on boot.

    Eventlog shows the following message:

    "Bootmgr failed to obtain the BitLocker volume master key from the TPM because Secure Boot configuration changed unexpectedly."

    Followed by:

    "Bootmgr failed to obtain the BitLocker volume master key from the TPM."

    So a change to our secure boot environment has happened it apears. The only update I have found that may be associated with this is KB3172729, this update changed the dpupdate.bin, dbxupdate.bin and tpmtasks.dll files.

    Anyone else experiencing problems?



    Thursday, August 11, 2016 1:43 PM

All replies

  • Hi N Davies,

    Thank you for your feedback. KB3172729 is related to the security update for Secure Boot. We could try uninstall it to check. Also If you disabled or suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without decrypting or disabling BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

    You could send your feedback to by Poviding Feedback to Microsoft or via Feedback|Microsoft Connect. And thank you for your feedback of our product. I will forward this information to the appropriate department through our internal channel. Both the Microsoft Product Team and Development Team take into consideration all suggestions and feedback for future releases.

    Best regards,

    Carl Fan

    Hope it will be helpful to you

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, August 12, 2016 9:41 AM
  • Hi Carl,

    Thank you for your response. I understand what you are suggesting in your post but I am curious to know why only some machines, approx. 7% were affected by this ... the other laptops took the update without incident!



    Monday, August 15, 2016 6:58 AM
  • I am having the same issue, although only one machine with such a problem was reported to me thus far out of about 15.
    Monday, August 15, 2016 2:28 PM
  • I had same issue.

    My laptop is set Enabled "Require additional authentication at startup" by gpedit.msc. But, actually, BitLocker PIN is NOT set.(I had forgotten setting up! HAHAHA)

    I thought that discrepancy between Group Policy setting and lack of BitLocker PIN had caused this issue, so Windows failed to get the BitLocker key from TPM.
    But I have no way to make sure because I had fixed my laptop in Carl's plan.
    Anyone can confirm it?

    My Laptop: Lenovo ThinkPad T450s Windows8.1 64bit
    TPM: STM 13.12 (by Windows TPM Manager)
    Wednesday, August 17, 2016 3:47 AM
  • I am no longer able to encrypt drives when forcing the use of a TPM, getting errors...
    Wednesday, August 24, 2016 7:00 PM