BitLocker Recovery mode

During patch Tuesday on august 9, 2022, Microsoft released a Windows update that can cause BitLocker to activate recovery mode and prompt the end-user for a recovery key.

With the update KB5012170, Microsoft has fixed some security vulnerabilities in Secure Boot by updating Secure Boot DBX - which can cause BitLocker to activate recovery mode.

Only one time after the update has been installed and the computer has been rebooted, the prompt is presented.


Due to the above, CapaSystems recommends that all our customers take the following actions:

  1. Ensure that all active BitLocker recovery keys are saved in Active Directory and/or CapaInstaller

  2. Consider postponing the installation of KB5012170


We have developed a computer package to collect and save all active BitLocker recovery keys.

If you already have a subscription for CapaBitLocker and are using Cloud Updater :

• The package will automatically download to your CapaInstaller environment.

If you do not have a subscription for CapaBitLocker or you are not using Cloud Updater :

• Download the package here


Technical Notes

To validate that the BitLocker recovery keys have been correctly saved in Active Directory and/or CapaInstaller, the settings in the package script must be updated to match your environment.

Our guide describes how to do it.


Microsoft has confirmed that the update can cause issues with BitLocker and are working on a solution. You can read more about it here


Read more about BitLocker recovery

Read more about issues with the update