Event details
We are starting to the Bitlocker recovery prompts due to expiring UEFI certificates, what is MSFT approach to addressing this before the expiration date of June.
Microsoftvpena It appears that during our Secure Boot AMA held on 12 March 2026, at the 33:02 mark, there was a similar question that was answered. Ask Microsoft Anything: Secure Boot - March 12, 2026 - Windows Tech Community Question "Looks like there have been reports online of users receiving driver updates that are requiring bitlocker keys to be entered after reboot. Is this expected behavior? If the certs were already installed via policy still get prompted from driver updates? Is there a way to know what driver updates in Intune actually have the drivers that potentially can cause bitlocker keys to be entered? Naming conventions in Intune for drivers are a bit difficult to decipher. – answered at 33:02."
- Arden_White
BitLocker measures things like the device firmware, the boot loader, firmware drivers (Option ROMs) that come as part of the device, Secure Boot settings, etc. These measurements are used to determine if the system has been tampered with.
Windows drivers are not measured by BitLocker and driver updates should not be causing BitLocker recoveries.
The two things that I'm aware of that could cause BitLocker recoveries related to Secure Boot are:- If the device is configured to boot first from an alternate source such as PxE boot and then the device fails over to booting from the boot manager on the disk, this can cause BitLocker recoveries if the PxE server is presenting a 2011 signed boot manager and the on-disk boot manager is signed by the 2023 certificate. The fix for this is to configure the firmware to boot from the disk first.
- Some firmware incorrectly reports the device settings when Secure Boot updates have happened, and BitLocker is resealing to the new certificates or boot manager.
