We're experiencing a frustrating issue where some of our older devices enter Bitlocker Recovery Mode after we've updated the UEFI certificates. Most devices on our network updated without any problems, but a few triggered Bitlocker Recovery upon reboot a few days to a week after the certificate update. It's worth mentioning that we suspend Bitlocker before performing any BIOS updates, and we haven't experienced any problems related to those updates. I'm starting to think that the recovery issues are tied to the certificate update rather than the BIOS updates. Does anyone know if there's a way to control when the certificate update happens to ensure Bitlocker remains suspended during that time?
3 Answers
I haven't run into any of these issues myself. Most of my devices are covered by the 3-step Black Lotus mitigation strategy, which seems to be doing the trick.
I was curious how you confirmed that Bitlocker prompted after the certificate updates. We rolled out a similar policy to update certificates across thousands of devices, and we've seen more Bitlocker prompts lately too. I'm wondering if there's a connection.
It might just be a coincidence, but seeing your case makes me think there's a correlation here.
It's possible that if BitLocker gets enforced through policy, it could unintentionally re-enable itself before a reboot—especially if a user puts their machine to sleep or hibernates. That timing might be key! Try to look into how the policies are being applied during the certificate updates.
I can't say for sure that it's directly linked to the certificate updates, but the issues only pop up after we've done BIOS updates and Bitlocker protection resumes.