Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Restart failure if Device Guard or Credential Guard isn't disabled correctly in Windows 10 Version 1607

Restart failure if Device Guard or Credential Guard isn't disabled correctly in Windows 10 Version 1607

View products that this article applies to.

Symptoms

A Hyper-V user with BitLocker enabled may encounter a restart failure if the Device Guard or Credential Guard feature has not been disabled or has not been uninstalled cleanly. Specifically, upon restart, you receive following error message on a blue screen:
Your PC/Device needs to be repaired.

A required file couldn’t be accessed because your BitLocker key wasn’t loaded correctly.

Error code: 0xc0210000

You’ll need to use recovery tools. If you don’t have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.

Press Enter to try again
Press F8 for Startup Settings

↑ Back to the top

How to avoid getting into this situation

  • Keep Hyper-V disabled during the operating system upgrade.
  • Reset the Device Guard registry keys (delete the Device Guard registry key node) and then enabled Hyper-V in Windows 10 Version 1607.
  • Reset the Device Guard registry keys (delete the Device Guard registry key node) and then upgrade to Windows 10 Version 1607.
  • Disable BitLocker until you install update 3176934.

How to recover from this issue

  1. Start into another operating system on the computer and then start the Command Prompt window
    • from the Windows Recovery Environment by selecting Troubleshoot > Advanced Options > Command Prompt
    • Or from a bootable Windows 10 Setup. You can follow this instruction to prepare a bootable USB drive.
  2. Unlock the operating system drive by running: 
    Manage-bde-unlock-rp <recovery password> <operating system drive:>

    Note The operating system drive may be a different letter than in the main operating system.

    To do this, you should first recover your BitLocker key. See information about this from get your recovery password. You need to get the recovery ID first by running the following command: 
    Manage-bde-status <opertaing system drive:>
  3. Suspend BitLocker by running the following command at the command prompt:
    Manage-bde-protectors-disable <operating system drive:>
  4. Restart and set below registry key from the main operating system:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
    DWORD EnableVirtualizationBasedSecurity set to 0
    DWORD RequirePlatformSecurityFeatures set to 0

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top

Keywords: kbqfe, kbsurveynew, kbfix, kbexpertiseadvanced, kb

↑ Back to the top

Article Info
Article ID : 3189068
Revision : 1
Created on : 1/7/2017
Published on : 9/7/2016
Exists online : False
Views : 319