- Jan 28, 2020
- 11
- 0
- 4,510
Lenovo Yoga 920-13ikb
bios 5NCN41WW
currently with Win11, likely upgraded from Win10 in the past
From approximately 2017-2018
TPM 2.0, Intel PTT
Bitlocker Recovery: “You need to enter your recovery key because Secure Boot policy has unexpectedly changed.”
I was helping someone with their Laptop, it was working fine no problems, I went to the Windows Update, and it had Optional update of UEFI/BIOS firmware, I did that, and it said to restart. After restart, Bitlocker went into recovery mode.
PC Owner never printed their Bitlocker Recovery Key, they do not have it. They have 2 Windows Users, I only went into 1 of the users, and it was a Local User, not a Microsoft Account User, so it appears that Bitlocker Recovery cannot be accessed from a MS Account. I never saw the other user, so it is possible that it is a MS Account with synced Bitlocker Recovery Key, so I asked the PC owner to log into their MS account from another device, but I followed directions from MS, and MS account explicitly said there was no Bitlocker synced device in their settings.
PC Owner likely never setup Bitlocker themselves, it likely came already activated with Lenovo’s OEM version of Windows. While Lenovo did not invent Microsoft’s Bitlocker, they provide you with an OEM version of Windows that has it already activated, I have seen many new PCs out of the box with Device Encryption/Bitlocker pre-activated. I have viewed the temporary Boot Menu in the UEFI, there is no Lenovo OneKey Recovery option. I have seen many computers with Bitlocker device encryption already activated the first time you boot into windows. If this is so, where does Lenovo originally provide the recovery key? They must provide it to the purchaser somewhere!
It seems to me that in theory, if I perform a UEFI/BIOS version rollback, it will fit the Bitlocker checksum, or TPM key checksum or whatever it is called. Is that true, will that work?
I would also expect there is a button to push somewhere to revert the UEFI back a version. If this obvious feature is not provided by Lenovo, then my next question is if I manually perform a UEFI rollback, does that step destroy the TPM Key? If it destroys the TPM key, then it will not fix the Bitlocker issue. If I need to download the previous UEFI version from their website, then does anyone know why Lenovo only provides 1 UEFI version on their website, listed below? Shouldn’t they provide the older version as well?
I have seen multiple situations on other computers where if I make a change to the EFI partition for example, then bitlocker recovery mode happens, then if i revert the change, bitlocker recovery mode goes away. That is what I am suggesting with the UEFI rollback. I am well aware of the difference between the UEFI motherboard settings and the EFI partition on the disk, no low hanging fruit to grab there.
Lastly, of course no one will be shocked that the PC Owner has no backups of her files, and no cloud sync of her files. The goal is data recovery, not reinstallation of Windows.
I read an article that is very similar to this issue:
KB5012170 error
www.theregister.com
https://pcsupport.lenovo.com/us/en/...keyWordSearch=Yoga 920-13IKB Laptop (ideapad)
bios 5NCN41WW
currently with Win11, likely upgraded from Win10 in the past
From approximately 2017-2018
TPM 2.0, Intel PTT
Bitlocker Recovery: “You need to enter your recovery key because Secure Boot policy has unexpectedly changed.”
I was helping someone with their Laptop, it was working fine no problems, I went to the Windows Update, and it had Optional update of UEFI/BIOS firmware, I did that, and it said to restart. After restart, Bitlocker went into recovery mode.
PC Owner never printed their Bitlocker Recovery Key, they do not have it. They have 2 Windows Users, I only went into 1 of the users, and it was a Local User, not a Microsoft Account User, so it appears that Bitlocker Recovery cannot be accessed from a MS Account. I never saw the other user, so it is possible that it is a MS Account with synced Bitlocker Recovery Key, so I asked the PC owner to log into their MS account from another device, but I followed directions from MS, and MS account explicitly said there was no Bitlocker synced device in their settings.
PC Owner likely never setup Bitlocker themselves, it likely came already activated with Lenovo’s OEM version of Windows. While Lenovo did not invent Microsoft’s Bitlocker, they provide you with an OEM version of Windows that has it already activated, I have seen many new PCs out of the box with Device Encryption/Bitlocker pre-activated. I have viewed the temporary Boot Menu in the UEFI, there is no Lenovo OneKey Recovery option. I have seen many computers with Bitlocker device encryption already activated the first time you boot into windows. If this is so, where does Lenovo originally provide the recovery key? They must provide it to the purchaser somewhere!
It seems to me that in theory, if I perform a UEFI/BIOS version rollback, it will fit the Bitlocker checksum, or TPM key checksum or whatever it is called. Is that true, will that work?
I would also expect there is a button to push somewhere to revert the UEFI back a version. If this obvious feature is not provided by Lenovo, then my next question is if I manually perform a UEFI rollback, does that step destroy the TPM Key? If it destroys the TPM key, then it will not fix the Bitlocker issue. If I need to download the previous UEFI version from their website, then does anyone know why Lenovo only provides 1 UEFI version on their website, listed below? Shouldn’t they provide the older version as well?
I have seen multiple situations on other computers where if I make a change to the EFI partition for example, then bitlocker recovery mode happens, then if i revert the change, bitlocker recovery mode goes away. That is what I am suggesting with the UEFI rollback. I am well aware of the difference between the UEFI motherboard settings and the EFI partition on the disk, no low hanging fruit to grab there.
Lastly, of course no one will be shocked that the PC Owner has no backups of her files, and no cloud sync of her files. The goal is data recovery, not reinstallation of Windows.
I read an article that is very similar to this issue:
KB5012170 error
Microsoft Secure Boot fix sends PCs into BitLocker Recovery
Have your BitLocker key handy when updating, but maybe not on a Post-it stuck to the screen, OK?
https://pcsupport.lenovo.com/us/en/...keyWordSearch=Yoga 920-13IKB Laptop (ideapad)
Facebook
Twitter
Instagram