Mastodawn

I've got a dusty old Windows 11 system running in a virtual machine, and when I booted it up the other day I was met not with MS's usual login prompt but instead w/ a BitLocker recovery blue screen.

Then I remembered the cause (when all else fails, check your own site doh!): As we warned in January 2026, Microsoft is expiring a bunch of older Windows Secure Boot certificates in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new certificates can no longer receive Secure Boot security fixes.

Fortunately in this case I was able to recover the Win11 system and update the certificates by pasting the supplied recovery key at aka.ms/myrecoverykey. But I suspect things can get far more complicated for organizations having to deal with this on a large number of machines.

https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/

@briankrebs lol thank goodness I'm only running win7 in a VM. Why? Because the version of quicken I use (before the subs) wouldn't allow new account creation under wine so I run windows for one command which I use once a year.

Tbf - I do miss win7 which imo was the peak version of Windows.

Will Dormann Jun 15

@briankrebs
Per Microsoft, this is not expected behavior. What will happen is the machine will simply not get some future updates.

I suspect this is the result of a botched update, not expired certs.

BrianKrebs Jun 15

@wdormann Interesting. Thanks, Will. Anywhere I can read more about that specific behavior?

Will Dormann Jun 15

@briankrebs
Eh, there's a range of reasons that can cause the prompt for the BitLocker recovery key. There are a lot of moving parts. 🤷‍♂️

Jernej Simončič �Jun 15

@briankrebs @wdormann It seems that updating the secure boot certificates invalidates the PCR measurements on some systems, which then prevents automatic BitLocker unlock.

Anyway, since this is a virtual machine, BitLocker probably doesn't make any sense, so I suggest you to disable it (easiest by running manage-bde -off c: from an elevated command prompt).

@jernej__s @briankrebs @wdormann yes, and updating the certs is supposed to suspend bitlocker for a couple of reboots so that doesn't happen

BrianKrebs Jun 15

@jernej__s @wdormann Guess I forgot MS installed it by default on Win11 systems. Not anymore!

@wdormann @briankrebs I second this diagnosis as the certificates in question have not to my understanding expired yet. I believe the first one expires on June 24th.

Netzblockierer Jun 15

@briankrebs almost as if "SecureBoot" is a horribly badly executed idea and not about security at all, but denying Limix's deserved takeover of the Desktop
#ISpol #Wondows #SefureBoot #CensorBoot #Tech #Linix #Enshittitfication #TPM

Graham Sutherland / Polynomial Jun 15

@briankrebs ohhhh, I bet this is what stung me

Edvin Malinovskis Jun 15

@gsuberland @briankrebs Microsoft Bees

oprah-bees.gif

Graham Sutherland / Polynomial Jun 15

@briankrebs /cc @Rairii - this is probably what we were looking at the other day

@gsuberland @briankrebs yes, but with the caveat that db or dbxupdates being taken on a system where you removed the drive containing another bitlocker encrypted os partition is GUARANTEED to cause issues here.

Graham Sutherland / Polynomial Jun 15

@Rairii @briankrebs yeah

elmuerte Jun 15

@briankrebs Couldn't you use that YellowKey "tool" to recover?

Ray McCarthy Jun 15

@briankrebs
windows 5.x is old & dusty.
Win11 isn't.
This is a stupid design mistake.
Also people should not automatically assume they should have Bitlocker.

The information of most people is of no interest to most laptop thieves, vs difficulty of using the SSD / HDD with a different mobo/laptop if computer fails.
Some people really do need bitlocker or similar. But how secure is bitlocker from the State seizure of the laptop?
I have recovered files on a dead PC from an HDD that had bitlocker.

BrianKrebs Jun 15

@raymaccarthy By "dusty" I just meant I created it a while back but hadn't really used it much at all.

Ray McCarthy Jun 15

@briankrebs
I booted Win10 twice this year 😀 on real HW and once on VM.
I've nothing that needs it.
I've an LED badge with USB that needs Win7 and that works on the VM on Linux. I might change the message.

VessOnSecurity Jun 15

@briankrebs TFW one gets ransomwared by Microsoft...

Adam Dalliance Jun 15

@briankrebs Oh, right. I don't normally deal with windows at all but my dad's computer was saying that a little while back. He had no idea he even has a microsoft account.

No normal person is going to be able to fix machines doing that. Gonna have to go to a repair shop or probably a sad number of them be replaced.

ṫẎℭỚ◎ᾔ ṫ◎ℳ Jun 15

@briankrebs Microsoft's solution is both anticlimactic and a bit ironic.

Mauricio Teixeira ⚽🇺🇸🇧🇷🏆Jun 15

@briankrebs
Which problem do you think is the concerning one: not having the keys, or having to type the keys?

The typing key problem was solved during the 2024 Crowdstrike fiasco.

https://www.theregister.com/software/2024/07/25/how-a-barcode-scanner-helped-fix-crowdstrike-mess-in-a-flash/1154172

How a barcode scanner helped fix CrowdStrike mess in a flash

This one weird trick saved countless hours and stress – no, really

theregister

no brain no pain Jun 15

@briankrebs A virtual disk on an encrypted file system might not need further encryption. Hence, instead of BitLocker, thinking of alternatives might be a good idea…

john r red-horse Jun 15

I know you've gotten a bunch of responses already, but I'll throw out one more scenario: If I boot my dual-booting (win11/linux) system to win11 via Grub then try via the UEFI Bootloader, I am prompted for my Bitlocker recovery key just as you are here, and vice versa. I think the TPM has the capability to save the most recent successful boot method across re-starts.

You didn't happen to do something similar to using two different bootloaders, did you?

BrianKrebs Jun 15

@jrredho I think I know what happened. I restored a previous snapshot and this happened after I rebooted.