What is BitLocker automatic device encryption

BitLocker is a security technology incorporated into Microsoft Windows operating systems starting from Windows 8, which is intended to protect users by encrypting data stored on a device, or external storage media (such as USB hard disk drives).

During the ongoing development of Windows 10, Microsoft made a change which sought to automatically provide this data security to its customers by activating BitLocker for devices which were designed to meet modern hardware standards.

With the continued evolution of hardware standards, alongside the release of Windows 11 24H2 Microsoft have now introduced a reduced set of hardware requirements which devices need to meet to become eligible for BitLocker automatic encryption.
 

Which devices are eligible?

Going forward from Windows 11 24H2 the requirements will be:

• The device contains a TPM (Trusted Platform Module), either TPM 1.2 or TPM 2.0.
• UEFI Secure Boot is enabled.
• Platform Secure Boot is enabled

This essentially means all Stone brand devices which already meet the hardware requirements for Windows 11 (external link), are now in-scope for BitLocker automatic encryption.
 

When does BitLocker automatic encryption occur?

Following a clean installation of Windows 11 24H2 (Home, Professional, Enterprise and Education) and the completion of OOBE (Out Of Box Experience) where users go through the initial Windows setup, BitLocker will initialise and prepare to encrypt data on all fixed internal storage drives.
However, data encryption will not take effect until the first time a user logs into the device using a Microsoft Account (available for individual users) or an Azure Active Directory Account (likely to be provided by an education institution or employer).
Once either of these two scenarios occur, BitLocker will arm, link the encryption keys to your account and store them in the cloud.

We strongly recommend that all users or administrators ensure that BitLocker keys are backed up, as they will be required if a device enters BitLocker Recovery Mode for any reason.

BitLocker recovery mode

BitLocker recovery mode can occur for many reasons including hardware or software changes, below are some examples:

Authentication errors:

• Forgetting the PIN.
• Entering incorrect PIN too many times (activating the anti-hammering logic of the TPM).
• Using a keyboard with a different layout that doesn’t enter the PIN correctly, or one that doesn’t map as assumed by the pre-boot environment.

Boot/BIOS changes:

• Changes to the master boot record (MBR) on the disk.
• Changes to the boot manager (Bootmgr) on the disk.
• Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
• Turning off BIOS support for reading USB devices in the pre-boot environment when using USB-based keys.
• Changing the BIOS boot order to boot another drive ahead of the hard drive (such as giving a CD or DVD drive boot sequence priority).
• Failing to boot from a network drive before booting from the hard drive.

Hardware, software and firmware changes:

• Adding or removing hardware.
• Upgrading main system firmware.
• Upgrading TPM firmware.
• Turning off, disabling, deactivating, or clearing the TPM.
• Updating option ROM firmware
• Docking or undocking a portal computer if the computer was (respectively) undocked or docked when BitLocker was turned on.
• Changes to NTFS partition table on the disk including: Creating, Deleting, Resizing primary partition.

Other triggers:

• Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile.
• Hiding the TPM from the operating system.
• Moving the BitLocker-protected drive to a different system.
• Upgrading the motherboard to a new one with a new TPM.
• Disabling the code integrity check or enabling test signing on Windows Bootmgr.

If BitLocker recovery mode occurs, you'll be prompted to input a BitLocker recovery key, which is a 48-digit number.

Prompting for the recovery key will either occur during start-up, due to a security risk or hardware change:

Or you may be prompted to input the recovery key for data and/or external drives, for example if you forgot the unlock password:

Where can I find a BitLocker recovery key?

When you are prompted to enter a BitLocker recovery key, take note of the first 8 digits of the recovery key ID.

The recovery key ID helps identifying which recovery key to use, in case you have more than one. 

Where BitLocker automatic encryption has occurred, there are primarily two places where your recovery key might be.

What if I can't find the recovery key?

If your device is managed by an organisation, check with their IT department to retrieve the recovery key.

If you can’t find the BitLocker recovery key and are unable to undo any changes that caused it to be needed, you’ll have to reset your device.

Resetting your device will remove all of your files.

Affected products:

• Any Windows 11 compatible Stone branded desktop, notebook or workstation product, where a clean installation of Windows 11 24H2 has occurred.

On May 1st 2017, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies.

Summary

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products.  This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

Description

There are two ways this vulnerability may be accessed, please note that Intel® Small Business Technology is only vulnerable to the second method:

• An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
• An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).

Threat level

Severe.

• A system with unpatched ME firmware, running the Intel Local Manageability Service, is affected, whether or not vPro is provisioned.
• A system with unpatched ME firmware, with vPro provisioned, is affected, whether or not the Local Manageability Service is running.

Recommendations

Our customer's security is paramount, to that end Stone are working with key vendors to provide firmware updates which close this vulnerability as quickly as possible. Those updates will be able available to download from this article as soon as they are made available to us

Intel has released a discovery tool which will analyse your systems for the vulnerability.

Actions:

1. Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable systems. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

2. Utilize the INTEL-SA-00075 Detection Guide to assess if your system has the impacted firmware.

3. Stone highly recommends updating affected systems Management Engine (ME) firmware as soon as they become available. Please review the affected products section of this article for ME firmware update availability.

• Management Engine (ME) Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Example: 8.1.71.3608.
• After the BIOS or ME patch update, to completely mitigate any risks, any previously configured AMT functionality should be de-provisioned and then re-configured. This prevents any compromised machines from retaining "hacked" logins.

4. If a firmware update is not yet available, mitigations are provided by the INTEL-SA-00075 Mitigation Guide. It is recommended that unpatched systems should have the steps detailed in the mitgation guide applied to them until such time as an ME firmware update becomes available.

• De-provision AMT
• Fully disable the Local Management / Manageability Service within the operating system

Affected Products

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.

Where possible, updated BIOSes or patches for Management Engine Firmware are shown below. This article will be updated as more BIOSes or patches become available.

StonePC Lite/Tower / All In One

Legacy Desktop Products

Further information regarding Intel’s release schedule for their own branded desktop products can be found here.

StonePC Micro

Stone Notebooks

Applies to:

• Stone Desktop, Notebook and NUC products with Intel AMT (such as B or Q series chipsets),

Intel Management Engine (Intel ME 11.0.0-11.7.0), Intel Trusted Execution Engine (Intel TXE 3.0), and Intel Server Platform Services (Intel SPS 4.0) vulnerability (Intel-SA-00086)

Summary
On November 20th 2017, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize ME Firmware versions 11.0 / 11.5 / 11.6 / 11.7 / 11.10 / 11.20, SPS Firmware version 4.0, and TXE version 3.0.

Please download and view the document attached to this article for further information and firmware / BIOS patch availability.

Note: The attached document will be updated as new information becomes available.

Applies to:

• Stone branded products

Overview

Secure Boot is a UEFI firmware feature found in all modern computers which helps to ensure that only trusted and signed code runs at the earliest stages of system start-up (boot loader, firmware modules, option ROMs, etc.).
It relies on a chain of trust, built through certificates and keys:

• Platform Key (PK) – root trust, typically created by top level OEM.
• KEK (Key Exchange Key) – authorises updates to the databases that control what is allowed or revoked.
• DB (Allowed Signature Database) – holds certificates for trusted bootloaders, EFI applications, etc.
• DBX (Forbidden / Revoked DB) – holds signatures or hashes of known bad/compromised components.

The certificates in these DB / KEK variables include Microsoft’s certificates (among others).
These certificates have a lifetime which is determined by expiry dates hard coded into the certificate.
Once the certificates expire, affected systems will stop receiving updates for components like the Windows Boot Manager and Secure Boot components.
 

More detail can be found in these Microsoft articles, including exactly which certificates are being replaced and further advice on what steps you can take:

Windows Secure Boot certificate expiration and CA updates

Act now: Secure Boot certificates expire in June 2026

Secure Boot Certificate updates: Guidance for IT professionals and organizations

What is happening?

The Microsoft 2011 Secure Boot certificates are set to expire beginning in June 2026 and are being replaced by new certificates which were originally created in 2023 as part of a phased transition process controlled by Microsoft and its technology partners.

The below table details which certificates are expiring and their replacements.

What this means for you

• Operating Systems Impacted: Windows 10 and Windows 11 are among those affected by the certificate expiration.
• Core Risk: Secure Boot helps protect the system’s start-up process. With the 2011 certificate no longer valid, future updates to Secure Boot components and related infrastructure might not function as expected unless devices are prepared.
• Preparations should be made to update compatible systems.

Preparations and actions

• Asset inventory
  Identify all systems running Windows 10 or 11 (or dual-boot etc.), check whether Secure Boot is enabled (should be enabled for Microsoft update path to work) and ascertain the make/model of each device or motherboard and their current firmware version.
  During this phase it is prudent to confirm whether systems already include the 2023 certificates, as those produced in the past 1 to 2 years may already have them, helping organisations or users to narrow their focus.
  The following link is a package (Check UEFI Secure Boot KEK and DB) containing a script which can assist with this check by providing a visual confirmation and .CSV log file detailing make, model, BIOS version, Windows build, Secure Boot status and presence of Secure Boot certificates.
   
• Microsoft updates
  Microsoft have begun delivering updates for Secure Boot CA via Windows Update, which aims to greatly simplify the process for most devices.
  To allow Microsoft to manage secure boot updates organisations or users may be required to perform some configuration steps.
  Microsoft have published guidance on this topic.

  Secure Boot Certificate updates: Guidance for IT professionals and organizations
   

• Firmware updates
  Converge is collaborating with its partners to ensure the new 2023 certificates are being included in firmware updates on eligible Stone models, these are hardcoded and will available to reload should the secure boot variables ever be cleared.
  Systems that are air-gapped from the internet (and cannot receive Windows Updates), or have special security / compliance constraints, should be planned for manual update paths.
  Specifically for Stone desktop and workstation which contain Asus motherboards, we are also able to provide a tool which can add the new certificates to the Secure Boot variables and set them as active.
   
• Avoid resetting firmware defaults or disabling Secure Boot
  Secure Boot database changes (DB, KEK etc.) delivered via Windows Update are stored in firmware variables, certain actions (factory reset, resetting to defaults, disabling Secure Boot) might revert or clear some of the updated trust anchors.
   
• Test a representative sample group
  Before proceeding to deployment across a large estate of devices, testing on a small subset of each device model is advised.
  First verify new certificates apply correctly when delivered from Windows Update, and operating systems continue to behave as expected.
  For devices which are not being serviced by Windows Update, test firmware updates and/or the Asus Secure Boot 2023 Helper tool and confirm positive outcome.
  Pay attention to devices where BitLocker is enabled, ensure steps are taken to avoid BitLocker recovery by suspending BitLocker back up recovery keys to Microsoft accounts, Azure AD, or print/save them locally.
   
• Plan for the deadline (June / October 2026)
  Microsoft has set June 2026 as the date when many of the 2011 certificates expire.
  The Windows Production PCA 2011 certificate’s expiry is in October 2026 for part of the certificate chain.
  Develop a plan to address your individual needs as soon as possible.

How can we help?

Customers should be able to rely on secure Boot updates being distributed via Microsoft Windows Update as hardware platform owners have been collaborating with Microsoft over a number of years to share signed certificates, so following the configuration steps to enable this method of delivery should cover all or most devices.
We have also worked with our hardware partners to provide some scripts and tools which customer may find useful.

• Check UEFI Secure Boot KEK and DB - Version 1.0

Contained in this download is a PowerShell script that will identify the model of your device/motherboard, the current BIOS version, current build of Windows, Secure Boot status, a list of the current (active) Secure Boot KEK and DB variables and a list of the default (factory) Secure Boot variables.
This information is also logged to a CSV file.
Provided as a PowerShell script, this enables customers to choose how they implement its use should they wish too.

The download package contains help documentation detailing the function and usage and is compatible with any make or model of device.

• Asus Secure Boot 2023 Helper v1.0.8

This package will apply the Secure Boot 2023 KEK and DB updates as new Secure Boot variables.
This can be used as alternative (or as part of a blended approach) to having Microsoft deliver these updates through Windows Update.
Please note this tool is only compatible with Stone devices containing Asus motherboards.

The download package contains help documentation detailing the function and command line switches.

When the tool is run from command line or Powershell, either directly by using scripts, it checks which 2023 certificates are already installed and applies any that are missing.
Customers are advised to test on a sample batch of devices to confirm operation.
 

• Stone Asus BIOS Updater V2.0

This download contains a collection of desktop client and workstation BIOS's, along with scripts and tools to automatically detect make/model and flash devices.
It is intended to be run within a Windows operating system and provides enough flexibility to allow users with knowledge PowerShell to build upon the functionality to suit individual needs.
Please note this tool is only compatible with Stone devices containing Asus motherboards.

The download package contains help documentation detailing the function and usage.

When this package is run, it checks to ensure the model of device/motherboard is supported, selects the correct BIOS file, checks BitLocker status and temporarily suspends if active, updates the BIOS and logs to the results to CSV.
Customers are advised to test on a sample batch of devices to confirm operation.
 

• Stone ASUSBIOSUpdater_A01-B01.intunewin

This download is similar in function to the Stone Asus BIOS Updater V2.0, however it has been packaged as a Microsoft Intune application which customers are able to push out to targeted clients, where it will install and apply the firmware update.
It is intended for users who are familiar with managing devices, groups and applications in Microsoft Intune.
Please note this tool is only compatible with Stone devices containing Asus motherboards.

The download package contains help documentation detailing function and usage.
Customers are advised to test on a sample batch of devices to confirm operation.

Firmware support matrix

The below tables list product information and links to download firmware which include hardcoded Secure Boot 2023 certificates.
Updates to this information will continue to be added as they become available.

Stone Desktop

Stone AIO

Stone Mini

Stone Micro / Nano

Stone Notebook

Stone Workstation