Windows 10 Update 1511 fails with DiskCryptor whole disk encryption

Solution 1:

This appears to be a problem with Full Disk Encryption software generally (with the presumable exception of MS's own BitLocker). From the VeraCrypt coordinator himself:

Windows 10 version 1511, build 10586 update fail

TrueCrypt would have had the same problem. It is this specific Windows update that seems to disable filter drivers used for on the fly encryption and if Windows was encrypted using TrueCrypt, it would have failed too. There is nothing magical in TrueCrypt driver that would have prevented this.

Microsoft is doing something nasty in the update installer. VeraCrypt driver is working as expected but this installer clearly blocks it during the process of updating the system. By doing this, Microsoft is breaking FDE software other than Bitlocker and Microsoft partners ones.

What is the best way to report this to Microsoft? Obviously, on VeraCrypt, we are lacking man power to investigate further such deep kernel blocking by the update installer.

The workaround is described in a separate forum post:

You must decrypt the system encryption before performing any OS upgrades.

Also, Windows 10 November update requires decrypting the OS in order to apply the Windows 10 1511 update. Normally this is not necessary.

NOTE: Dismount and disconnect any external encrypted volumes attached to your PC before you begin the OS upgrade. I have seen users complain in the past that the Windows OS upgrade sees the encrypted drive/partition as RAW format and Windows tries to be too helpful by automatically quick formatting the partition and assigning a drive letter to make it usable by Windows.


UPDATE: Just to close the loop, I performed the following steps with no ill effects. As always, backup first!! I did not need my backup, but I can't guarantee you won't need yours ;).

  1. De-crypt the system drive (most likely C:)
    • I have a secondary hard drive (D:)
    • This D: drive was also encrypted
    • I did not de-crypt my D: drive
  2. Apply the Windows update
    • The DiskCryptor bootloader still prompted me for a password at each reboot
    • I just pressed [Enter] without any password and the machine booted
  3. Re-encrypt the system drive

Quick note about the encrypted D: drive (secondary drive):

Be very careful when Windows 10 boots up and the C: drive is still un-encrypted. The D: drive does not get auto-mounted at startup in this scenario. If you double-click on the D: drive, Windows will not recognize it and offer to format it for you. To mount the drive, you need to open DiskCryptor, choose the D: drive, click on [Mount], and enter the password.

Windows did not automatically format my secondary drive, but it would have been very easy for me to do it accidentally. Proceed with care!

Solution 2:

I realize this is thread is a little old but for the sake of searchers ... The presence of DiskCryptor prevents Windows (10) 1709 (at least) updates without any specific related errors being reported - just blue screen at the end and reinstall old version ... does not matter if DiskCryptor drives are actually mounted or not.

Simple solution is to uninstall DiskCryptor, run the update(s) and reinstall - worked for me after many days of researching why my systems were not updating.

But after the update is installed, at least with the Creators update, the behavior of mounted drives has changed. Mounted volumes are no longer dismounted when doing a Windows shut down. In fact it appears that DiskCryptor prevents a Windows shutdown if any DiskCryptor drives are mounted, and the station just goes to sleep (which if you're not observant, may not be noticed) - when waking up, drives are all still mounted! I tested this on two Lenovo laptops w/Win 10 home, and 1 desktop w/Win 10 Enterprise - no diff. Hope this helps someone and I hope Windows patches this quickly - unless the intent is to force the move to BitLocker :( btw this new behavior was not present when I tested it with TrueCrypt. Drives automatically dismount on shut down.