Secure Boot Policy Has Unexpectedly Changed [2 Solutions]

Some people report that BitLocker engaged due to "Secure Boot policy has unexpectedly changed” but they have no recovery key. This post from MiniTool Partition Wizard offers 2 solutions to this issue.

BitLocker Secure Boot Policy Has Unexpectedly Changed

I've never used BitLocker before and thought it was disabled. I woke up to a message telling me that I need to enter a recovery key because "Secure Boot policy has unexpectedly changed". I don't have a recovery key. Is there any way to get my laptop back without wiping my whole hard drive? I have a Dell XPS 13 9360 with Windows 10 installed. Thanks.https://answers.microsoft.com/en-us/windows/forum/all/bitlocker-unexpectedly-locked-my-hard-drive/1b5a6d9a-4108-4351-959f-9ec3fbc6436e

According to many users’ reports, the “BitLocker Secure Boot policy has unexpectedly changed” issue usually occurs after a Windows update. In addition, this issue may occur on PCs of various brands like HP, Dell, Surface, etc.

What Windows update will cause this issue? That is the KB5012170 update for Windows 10. It’s a security update for Secure Boot DBX to resolve vulnerabilities found in various UEFI bootloaders that threat actors could use to bypass the Windows Secure Boot feature and execute unsigned code.

However, this will cause the “Secure Boot policy has unexpectedly changed” issue. Now, it is reported that this update is also pushed to Windows 11 22H2.

Tips:

Some users report that if there is no TPM on the PC, the “Secure Boot policy has unexpectedly changed” issue won’t be triggered by the KB5012170 update.

How to Fix the Issue

The “BitLocker Secure Boot policy has unexpectedly changed” issue will prevent you from booting into Windows unless you enter the BitLocker Recovery key. However, some people report that they don’t set the BitLocker drive encryption and don’t know the recovery key. To solve this issue, you can try the following 2 ways.

Way 1. Find the BitLocker Recovery Key in Your Microsoft Account

If the BitLocker is enabled manually, the store location of the BitLocker recovery key could be your Microsoft account, a USB drive, a TXT file, etc. However, if BitLocker is enabled automatically, the default location should be your Microsoft account.

You need to open a web browser on another device. Go to https://account.microsoft.com/devices/recoverykey to find your recovery key there.

If you don’t see the BitLocker recovery key there, the most possible reason is that the device was set up or BitLocker was turned on by someone else or the OEM. In this case, the recovery key may be in that person’s Microsoft account.

Way 2. Reinstall Windows

If you really can’t find the BitLocker recovery key, you can reinstall Windows to solve the issue. Note that this way will wipe the Windows, especially the C drive. If you have important files under this drive, they won’t be recoverable.

Tips:

All data recovery software cannot recover data from an encrypted drive because the data has been messed up by the encryption.

After experiencing this issue, you may want to disable BitLocker. If so, you can refer to this post: 7 Reliable Ways to Disable BitLocker Windows 10.

Bottom Line

MiniTool Partition Wizard can migrate OS, clone hard drives, and recover hard drive data. If you have these needs, you can download it to have a try.

MiniTool Partition Wizard DemoClick to Download100%Clean & Safe

About The Author

Linda Follow Us

Position: Columnist

Linda has been working as an editor at MiniTool for 5 years. She is always curious about computer knowledge and learns it crazily. Her articles are simple and easy to understand. Even people who do not understand computer can gain something. By the way, her special focuses are disk management, data recovery and PDF editing.