This advisory pertains to issues arising from the Secure Boot certificate update process on Windows devices, particularly those managed through IT updates. The problem manifests as a BitLocker recovery prompt upon system boot after applying the certificate update via Microsoft's registry method. Affected systems may also experience a blank blue screen during startup, which can be bypassed by entering the BitLocker password. This issue is not universal and seems to impact specific configurations or versions of Windows devices. The underlying cause involves misalignment between the Secure Boot policy and the system encryption settings managed by BitLocker. Engineers and sysadmins must carefully manage this update process to avoid disrupting users, ensuring that recovery keys are accessible and that systems are configured correctly.
- Windows OS versions affected by the Secure Boot certificate update process
- Ensure that the Secure Boot policy is correctly updated in the registry without causing misalignment. Refer to Microsoft's documentation for precise steps.
- Verify BitLocker settings post-update to ensure recovery keys are accessible and system encryption remains intact.
- Test systems in a homelab environment before rolling out updates widely, to identify and mitigate potential issues.
This issue can impact common homelab stacks that include Windows devices with Secure Boot enabled. Specifically, it affects the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot` registry keys during an update.