Applies ToWindows 10, version 1607, all editions

Symptoms

A Hyper-V user with BitLocker enabled may encounter a restart failure if the Device Guard or Credential Guard feature has not been disabled or has not been uninstalled cleanly. Specifically, upon restart, you receive following error message on a blue screen:

Your PC/Device needs to be repaired.A required file couldn’t be accessed because your BitLocker key wasn’t loaded correctly.Error code: 0xc0210000You’ll need to use recovery tools. If you don’t have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.Press Enter to try againPress F8 for Startup Settings

Resolution

To fix this issue, install Cumulative update for Windows 10 Version 1607: August 23, 2016 (KB3176934).

How to avoid getting into this situation

  • Keep Hyper-V disabled during the operating system upgrade.

  • Reset the Device Guard registry keys (delete the Device Guard registry key node) and then enabled Hyper-V in Windows 10 Version 1607.

  • Reset the Device Guard registry keys (delete the Device Guard registry key node) and then upgrade to Windows 10 Version 1607.

  • Disable BitLocker until you install update 3176934.

How to recover from this issue

  1. Start into another operating system on the computer and then start the Command Prompt window

    • from the Windows Recovery Environment by selecting Troubleshoot > Advanced Options > Command Prompt

    • Or from a bootable Windows 10 Setup. You can follow this instruction to prepare a bootable USB drive.

  2. Unlock the operating system drive by running:

    Manage-bde-unlock-rp <recovery password> <operating system drive:>

    Note The operating system drive may be a different letter than in the main operating system. To do this, you should first recover your BitLocker key. See information about this from get your recovery password. You need to get the recovery ID first by running the following command:

    Manage-bde-status <opertaing system drive:>

  3. Suspend BitLocker by running the following command at the command prompt:

    Manage-bde-protectors-disable <operating system drive:>
  4. Restart and set below registry key from the main operating system:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard DWORD EnableVirtualizationBasedSecurity set to 0DWORD RequirePlatformSecurityFeatures set to 0

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.