Windows 10 Anniversary Update, Bitlocker, and Hyper-V

This morning, I arrived at the office to find my Windows 10 Anniversary Update desktop crashed after reboot of yesterday’s Windows Updates. No matter what I did, I couldn’t get it to boot. I took to the interwebs, and quickly found this link:

Users can’t decrypt HDD after update

The highlights from that article are:

When does a user hit the bitlocker recovery issue?

  • User has upgraded from Th1 to Th2 and then now upgrading to RS1
  • User either has Hyper-V ON or want to turn it on in RS1 after OS upgrade
  • First reboot after Hyper-V is enabled in RS1 will hit bit locker recovery – this can be soon after OS upgrade if Hyper-V was already enabled downlevel
  • Due to separate Bitlocker issue even after entering the Bitlocker key we fail to recover. Still under investigation.
  • Workaround – here are the 4 workaround that customers can choose from to avoid getting into this situation:
    • Keep Hyper-V disabled during OS upgrade and keep it disabled till servicing update on 8/23 comes through
    • Reset the Device guard RegKeys (delete the DG regkey node) and then enabled Hyper-V in RS1
    • Reset the Device guard RegKeys (delete the DG regkey node) and then upgrade to RS1 while keeping Hyper-V however customers want (ON or OFF is both fine)
    • Disable Bitlocker till 8/23

After speaking to a colleague of mine (who I’m guessing would prefer to remain nameless), I found that it is in fact possible to recover from this catastrophe (assuming you have your 48-digit Bitlocker recovery key), by going through the Windows 10 Recovery options, using your 48-digit Bitlocker recovery key, and then booting to a command prompt.

Once you’ve found the drive you want to decrypt (most likely C:), you’ll use the following Bitlocker decryption command:

manage-bde -off C:

You can use the following command to get a view of where things are, both before and after you’ve started decrypting:

manage-bde -status

Update – someone posted via the forum discussion that you can also just disable Bitlocker rather than decrypt the drive, using this command:

manage-bde -protectors -disable c:

Assuming you have a lot of data, and will re-enable in another week, you may prefer to go that route.  I’ve not tested this one, but it seems like it should work.

After you see that the drive is decrypted to 100%, you should hopefully be able to reboot back into Windows. At least this worked for me an my unnamed colleague.

After you’re in Windows, I assume you want to keep drive decrypted until said Windows Servicing update above. Alternatively, I believe you can just disable Hyper-V.

Good luck. Give me a shout if you ran into this, and/or if this helped you.