Re: April 2026 BIOS Updates BitLocker Looping SecureBoot UEF... - HP Support Community

GD_IM · ‎04-22-2026

For those having issues with BIOS and/or Windows Updates triggering BitLocker and or getting stuck in BitLocker Loops, I won't go into miniscule detail but this is what has helped us.

Pre-Requisite:

1. Verify that Page File is Enabled and set to System Managed Size.

Stage 1: SecureBoot and UEFI Cert Settings

1. Use PowerShell scripting to access BIOS settings from WMI.

2. Enable SecureBoot. Enable MS UEFI Cert Usage. Enable New 2023 Cert Settings (All 3) if they are available. (You May need to repeat Steps 1-4 if SecureBoot is not already enabled.)

3,. Suspend Bitlocker

4. Restart Immediately to Apply Settings.

5. Allow BitLocker to Re-Encrypt if needed.

6. Allow 24 Hours and/or 2 Restarts more to let Windows update the TPM. (This can be triggered though Reg Keys)

Stage 2: BIOS Update

1. Apply Current Drivers (Seamless Firmware Update Service Driver update should be installed at minimum. Can be scripted using HPIA)

2. Apply New BIOS. (Can be scripted using HPIA)

3. Suspend BitLocker (HP suspends before the start of the firmware download process, this can give policy an opportunity to re-enable it before the computer restarts which will trigger BitLocker when changes or updates are applied with it enabled.)

4. Restart Immediately to Update BIOS. It Should* enable new UEFI Settings during the update process.

5. Allow BitLocker to Re-Encrypt

6. Restart to verify.

If a computer gets stuck BitLocker looping and the script reports as ok*, the only option we've found is to go into the BIOS on the computer manually to turn on the new UEFI Settings.

Since Implementing Stage 1 we have had a major decline in BitLocker triggering and looping in our network with both MS Update deployed BIOS updates and those installed through other methods.

*Note: For those stuck in loops, the script commands to pull individual settings will show the new 2023 settings as enabled, but the command that pulls all settings at once will show some or all of them as disabled. The command to set them returns a 4 error. It's as if settings got stuck while enabling. We had this happen on 4 out of 10 updated manually for testing before setting up an Intune Remediation. Those 4 had suspect timing on when the settings were enabled vs when the BIOS updates and/or Windows updates applied that triggered BitLocker looping.

The scripting was working until HP removed the new BIOS updates for G9, and G10 EliteBooks and ZBooks from the Support site and FTP site used by HPIA. HPIA still identifies the new version as needed though and causes failures. (As of the time of this edit) - Tech Support thinks they have some FTP servers down preventing access to the new BIOS updaters, but with no official announcement about the access and support site issues, it's hard to know what is happening there.

The same processes also worked for getting our remaining G6 desktops up-to-date when HP implemented the new 2023 cert settings in their BIOS.

Christoph_vW · ‎04-24-2026

?

We had the BitLocker Recovery Key issue after updating 830 G9 Notebooks to BIOS 1.18 as well. All Notebooks had the UEFI 2023 CA Certificates and the UEFI 2023 Bootloader already.

To resolve this we had to disable the "Enable MS UEFI CA key" setting in BIOS settings.

@HP Please do not use crappy AI to translate your BIOS settings to german. We wondered what "CA Taste für MS (UEFI) aktivieren" should mean until we switched to english. The translation is completely wrong!

GD_IM · ‎04-24-2026

If you disable the MS UEFI CA Key usage, then you prevent Windows from updating the CA Certs for the June 2026 Expiry, and the 2023 settings would have no effect. You will have more problems in the long run. You may have other issues... We also found that the Page File settings on some systems were disabled and that was causing some BitLocker Loops... Re-enabling Page File and setting it to System Managed Size fixed that issue. Thank you for the reminder, I've added a note to the OP.

Christoph_vW · ‎04-24-2026

Enable MS UEFI CA key

If this setting is enabled, then code signed with the MS UEFI CA key is allowed to execute during pre-boot.

https://support.hpwolf.com/s/article/BIOS-Settings-Protection-Assessment

That has nothing todo with the UEFI CA 2023 KEK according to the documentation...

"The Enable MS UEFI CA Key setting manages the third-party Microsoft UEFI CA 2011 certificate. To find this setting, access f10 BIOS setup menu."

GD_IM · ‎04-24-2026

All I can say is that In our environment, we had 3 things that affected fixes for the BitLocker Looping.

1. Page Files randomly disabled (by Windows updates?) needing to be re-enabled.

2. Enabling the "Enable MS UEFI CA Key" Setting on all systems.

3. Enabling or Verifying Enablement of the new 2023 Cert Settings when made available after a BIOS update.

After we verified those were in place, our random triggering and looping has stopped.

April 2026 BIOS Updates BitLocker Looping SecureBoot UEFI Certs

Create an account on the HP Community to personalize your profile and ask a question