I don’t always update the BIOS of my system, but when I do, I always make sure to waste several hours doing so. Last time I did that was in 2020, but this happened again when I updated the BIOS for the Khadas Mind 2 to test it with the Mind xPlay display and Mind Graphics 2 dock.
Khadas provides the BIOS with instructions to update the Mind 2 mini PC, and it’s supposed to take five minutes, but I ended up wasting two about hours… The first step is to download and extract a zip file (mind-2-bios-v1.07-260122.zip), then start the Flash_BIOS upgrade program, and finally wait for the upgrade to complete.
That part went great. No problem, but when the system rebooted, I was greeted by a BitLocker window asking me to enter a recovery key to carry on with the boot process.
There’s no way to avoid this, and that’s a bit annoying, but I understand this is done for security reasons, since the BIOS was changed and BitLocker (device encryption) is enabled, Windows 11 wants to make sure it’s not from a bad actor. So I went to aka.ms/myrecoverykey on another machine, where I could find the 48-digit recovery key from the MIND mini PC.
As a side note, I think I understand why the Windows setup wizard sometimes forces users to log in with a Microsoft account and other times, it does not. If you don’t have a Microsoft account and BitLocker is enabled, you need an account to recover access, unless you’ve manually saved the keys on a USB flash drive. Without recovery keys, you’ll need to wipe out the drive when reinstalling Windows and lose your data.
Nevertheless, I had my recovery key, so I tried to type it in on the BitLocker window. The only problem is that it shows only for 5 seconds before rebooting in a loop… Not quite enough time to type 48 digits from a random key and click on Continue… So I had to find a workaround: selecting Skip this drive->Troubleshoot->Advanced options-> Command prompt.
It was still locked, but I could select Unlock and enter the recovery keys without the system rebooting every 5 seconds as I typed.
I got access to the Command Prompt, and I temporarily suspended BitLocker with the following command:
|
1 |
manage-bde.ext -protectors -disable |
After that, I exited and continued the boot process. I saw Windows booting animation and was about to celebrate. However, I have enough experience to know that once something goes wrong, it can go wrong more than one way, and I was unable to log in to Windows as my PIN (aka password) was not available. That issue is documented in another documentation on the Khadas website, but that’s easy enough to solve anyway.
I clicked on “Set up my PIN” and was informed of potential caveats of doing so. It’s not like I had any choice anyway, and in my case, it had no negative impacts.
I selected the Phone recovery method to scan a QR code and changed the PIN.
I finally managed to log in to Windows 11 Pro. Device encryption/BitLocker was temporarily suspended, and should resume automatically the next ttime we reboot the device.
I did that twice, and the same message still showed up, so I manually ran the following command as an administrator to resume encryption:
|
1 |
manage-bde -protectors -enable C: |
The suspension message is gone. I did a last reboot to confirm everything was back to normal.
I’m all for security, but there must be a better way to implement a secure BIOS upgrade on a Windows 11 machine with BitLocker… Funnily enough, I might have to disable or suspend BitLocker again soon, as I plan to install Ubuntu 26.04 on the Mind 2.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress. We also use affiliate links in articles to earn commissions if you make a purchase after clicking on those links.
Never did understand why people dont make an image of their drive.
All ya had to do is format it, install windows then put the image back. Whole process should take at best 15 minutes.
Why do all this for just upgrading the BIOS?
It looks like a multi-hour process, possibly a full day, rather than 15 minutes…
You could have avoided this multiple ways. First option, always make a backup of your BitLocker recovery key. Windows prompts you to do this when you enable BitLocker. Second option, before flashing the BIOS, suspend BitLocker. This allows the update to pass without triggering the recovery, and automatically re-enables BitLocker after reboot. Most BIOS-update software (Dell, Lenovo, etc.) does this automatically.
BitLocker is enabled by default. I was never asked to save the recovery key during setup, but that’s probably why I was forced to log in with a Microsoft account.
Nevertheless, this should have been handled much better than that. Based on your comment, Khadas should probably improve their BIOS update software.
The update process is one thing which most major brands nowadays have under control.
But never try to change your secure boot parameters in bios while bitlocker is active.
Basically if you are dual booting, disable (not suspend) it for good
It’s unimaginable how horribly user-unfriendly this “operating system” has become over the years. It seems that everything that could be invented to make sure their victims would never buy it a second time were attempted. How would non tech-savvy users deal with that ? They’d just lose all their data, for a BIOS update that was supposed to keep them safe.
I guess this user group wouldn’t try a bios upgrade other than if enforced by windows update or i.e. Lenovo vantage etc
But yes you are right its horrible.
We got a new laptop for CAD at work and can’t bring it into the AD for some funny reasons and wanted to temporarily activate it for a weird project and hey you need a ms account. Which by policy we are only allowed to use our company accounts, buth of course not with “rogue” machines. We just want an os, not a cloud client.
Whatever if we could just leave all the windows crap behind, but as long as catia is win only (ok AIX too) and the PLM needs win and entra id, what to do.
Vendor lock-in never went away, it just put on new clothes. Microsoft wants to force the requirement for Secure Boot, Bitlocker, and Microsoft accounts in Windows so they can tie all of your important work IDs to theirs, so they control your financial future. Software companies are falling for it, tying their products to Microsoft in an attempt to stay relevant, and thereby forcing businesses that license their software to also adopt Microsoft accounts as mandatory. The knock-on effect trickles down to freelancers and small businesses that rely on said software; if you don’t fall in line and follow the rules, you can’t earn money and run your business.
Microsoft never really lost the antitrust lawsuits, they just shifted focus to a more insidious form of lock-in that is class-action-proof. The only thing they learned is how to continue to be evil without breaking the law this time.
There are two ways of handling this.
First is to suspend Bitlocker using manage-bde, or by right-clicking the boot drive and choosing manage Bitlocker before applying the BIOS update.If you’re downloading and installing BIOS updates on your own, this isn’t a difficult step.
The second is to use the capsule firmware updates pushed by Windows update (available in the optional updates / drivers section) if those are available.
… and the third one is to avoid that shitty OS like the plague. It’s only designed to enslave you and steal your data, not at all to do anything right nor useful for you. Only Stockholm’s syndrome justifies purposely using it.