XPS 13 9360, Asks for BitLocker after Update

Thanks @kiehls2424 for sharing that 2.12 worked for you. Great news!

I downloaded it onto a USB thumb drive off a separate laptop and then installed it on my XPS. I get a successful BIOS flash update because it says 2.12 in the bottom of the screen like @jphughan had mentioned.

Unfortunately I still see the blue screen / bitlocker issue.

@James xps13, glad to hear this also worked for you - but can you help explain what the HirensBootCD is or why you need it? I’m not a savy computer guy at all and am just following prompts on screens. My next step is to download this and try your method?

Otherwise, I’m going to try downloading different BIOS versions and installing the “downgrades” until I hit jackpot. Not going past 2.5.1.

@James xps13 , did you try using the F12 "one time boot" method first? I tried that in an attempt to roll back the BIOS (not sure if I went as far back as you) and got errors in the attempt. It would "look like" it rolled back but reported errors while it was flashing and then nothing changed in the BitLocker behavior.

At this point though, I'm ready to try what you did  

Hello all, this is an update to try to help. I cannot guarantee it will work for you and I cannot EXACTLY replicate the steps because I tried SO many things... but I just flashed the 2.12 BIOS through the F12 route (gives you boot choices, including BIOS flash) and it gave errors - see pics below - but it booted to the Windows login screen! We tried to log in too many times, so I have to wait 2 hours to attempt the PIN again. Hopefully this will help some of you. Also, this may be helpful for someone.

2.12 didn’t work for me even though it successfully installed. Trying different previous versions (not going past 2.5.1) then going @James xps13‘s route.

Thanks everyone for the contributions to this thread so far.

I downgraded the Bios to 2.12 using the F12 flash update and also HirensBootCD as @James xps13 had done. No luck either way and also had the same errors @RGNicholas did on his screenshots above. Still goes to the Bitlocker screen, unfortunately.

I’ve already tried downgrading to all Bios versions available down to 2.5.1 (all versions older than 2.5.1 was blocked since it was no longer supported) with no luck. Hoping someone else has a suggestion that will work but feel like I’m running into a dead end.

@James xps13  In terms of the finding from BitLocker2John, a default Windows partition BitLocker setup will include a TPM protector and a Recovery/Numerical Password protector, which the blue screen refers to as a Recovery Key (which is confusing because manage-bde uses "RecoveryKey" to refer to a completely different type of protector, namely a BEK unlock file).  It is technically possible to set up multiple Recovery Password protectors on the same volume, but that would not have been done by default.  But you should NOT had any regular password protectors, because Windows prevents you from using regular password protectors on the Windows partition.  You have to go into Group Policy and specifically enable that option.  The reason it's disabled by default is that the password protector doesn't use the TPM, which means it can't benefit use the "platform integrity check" to help reduce the risk of unlock encryption being unwittingly compromised after someone tampered with your system.

But all that said, it is absolutely possible that it was enabled without user intervention.  I've mentioned here and elsewhere that Dell and other manufacturers ship their systems with BitLocker "pre-staged", meaning all sectors are encrypted but BitLocker is held in a suspended state so that it behaves as a regular partition.  If you link your Microsoft account to your Windows account, then BitLocker is fully enabled, which happens instantaneously since it was already pre-staged, and then at least in theory, your Recovery Key is backed up to the cloud.  Unfortunately, the user isn't expressly told about any of this.  Hopefully Microsoft wises up to this and makes it much clearer what's going on soon.

@jphughan , what actually happened is that I am assisting a friend who was at her wits-end with the situation (thus the use of we here and there), so I think she was unsure and overused her original pin or some such. AnYwAy, after the two hour wait, it let me in. I am still a bit perplexed though that once in Windows, I was able to PDF print the BitLocker key and it does show one. However, when I tried to display it via command prompt, it did not... oh, and I did indicate the "C:" drive in the command. I just didn't mention that before.

Again, thanks for helping so much in these forums! I know it is hard to troubleshoot without all the information, unknown variables, etc. 

Currently, I am backing up all her data and then I'll reboot to see if it boots clean this time. I fear that at some point she or an automated process will update the BIOS again, but this time I will have the key to help her move forward. This has been one of the oddest PC issues I have dealt with.

@RGNicholas  The Status readout doesn't include key information.  If you want to see that, run "manage-bde -protectors -get C:"

@RGNicholas  Glad to see you've made progress!  In terms of your Windows lockout, be aware that the Windows Hello PIN relies on information stored in the TPM, so between the strange nature of this issue being reported by multiple users here and the fact that you've performed a BIOS downgrade, it's possible that the PIN won't work.  You might have to use the traditional password to get into Windows, then clear and set up your PIN again.

@RGNicholas  So what DO you see when you run "manage-bde -protectors -get C:"?  Under the category "Numerical Password", you should first see an "ID", which is a GUID for the protector and is encased in braces/curly brackets.  Then under that it should say "Password", followed by the Recovery Key on the line below.  Are you seeing the ID and then nothing at all in the output?

In terms of BIOS updates, make sure this person has the latest version of Dell Update installed.  I think it's 4.0.x at the moment.  Newer releases will automatically suspend BitLocker when a BIOS update will be installed specifically to avoid this -- although I guess that wouldn't rule out a bug in the BIOS update itself that broke the TPM, which may or may not have been what happened here.  But Dell Update strangely does not seem to download updates for itself, so that might have to be a manual download.

@jphughan , I can say for sure when I ran the command from outside Windows - while I was blocked - there was no numerical key. The ID showed, but not the key. After I get all her data copied, I may update everything I can and see what happens on the reboot. Geeze, these have small HDs in them. 128gb gets eat up too fast. 

@RGNicholas  Oh ok, yes the password will not display while the volume is locked.  It would rather undermine the point of encryption if you could just ask for the password while the volume is locked.  But if you run that command from within Windows, or even after unlocking the volume in an offline environment, the Recovery Key will be displayed.

While I’m happy for everyone else, I’m still stuck with you @theacura. I’ve completed downgraded to all versions and nothing has worked.

Like @jphughan pointed out, I’m starting to think I may have cleared my TPM accidentally when I previously did a bunch of random stuff before posting on this forum. 

I’ve scheduled a 1:1 call with Dell support staff on Monday (GMT noon), which means I’ll keep praying on Sunday. Reading the progress people have made gives me hope! Will post back here if I receive anything new or different. 

@x60643 , I can say that in my case, I never monkeyed with the TPM settings. I did reset the overall settings to default a couple of times and tried turning secure boot on and off, etc. Who knows why that the BIOS roll back to the 2.12 version worked for me, it just did long enough to get me access to the user login screen.