Windows 11 Encryption May Damage Data, Microsoft Says

A computer chip.
(Image credit: Shutterstock)

Microsoft has detailed a serious bug in Windows 11 and Windows Server 2022. Due to the issues outlined in Knowledge Base (KB) article KB5017259, its says users of its newest desktop operating systems could experience data damage. There appears to have been a flaw in the operation of a new data encryption hardware accelerator, supported by the newest processors from AMD and Intel, and used by apps like BitLocker. Thankfully, there is already a fix available for both preview and release versions of Windows 11 and Windows Server 2022.

(Image credit: Microsoft)

Microsoft says the affected systems will fall foul of issues described in KB5017259 if they have a processor that supports the newest Vector Advanced Encryption Standard (AES) (VAES), and specifically either of the following extensions:

  • AES XEX-based tweaked-codebook mode with ciphertext stealing (AES-XTS)
  • AES with Galois/Counter Mode (GCM) (AES-GCM)

Checking around, we found that the following modern PC processors supported VAES; Intel Ice Lake, Tiger Lake and Rocket Lake, plus upcoming AMD Zen 4 architecture processors.

What seems to have happened is that Microsoft added new code paths to support hardware acceleration of its Symcrypt library on the newest processors from AMD and Intel, with support for features like AES-XTS and AES-GCM. However, implementation errors meant data written could contain errors, meaning data would be damaged / corrupted / lost.

Microsoft doesn’t mention what to do if you have already been hit by this data damage issue, but it does have fixes and workarounds ready. To prevent any (further) data damage, those using preview releases of the OS should grab the May 24 release, while users of regular Windows should grab the Jun 14 security update.

Microsoft admits its medicine has a bad taste. “After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release),” says Microsoft in its bulletin. Apps / workloads using encryption will be most noticeably affected, so watch out for slowdowns in BitLocker, Transport Layer Security (TLS) (specifically load balancers), and disk throughput, especially for enterprise customers.

Those observing serious performance impacts, which may mean encryption runs at nearly half the speed as previously, can run some further updates. Preview users can grab the June 23 preview update, and regular Windows 11 and Windows Server 2022 users can install the July 12 security update.

If any readers have experienced data damage due to the above the implementation flaws, please share your experience in the comments.

Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

  • dehjomz
    I know operating system design is hard. But with all the serious bugs/security flaws on windows... including now the risk for potential data loss from merely encrypting your data, how and why is Windows a paid operating system?
    Reply
  • King_V
    It makes me wonder whether they somehow think it's en vogue to cut back on QA.
    Reply
  • ex_bubblehead
    King_V said:
    It makes me wonder whether they somehow think it's en vogue to cut back on QA.
    Cutting back would indicate that they actually have a QA department to start with. They've been relying on the public as their QA for years now.
    Reply
  • toooooot
    Oh windows 11... You are just the gift that keeps on giving.
    I am gonna make a prediction. Windows 12 will be much more polished and will lose most of the win 11 problems.
    We will check it then.
    Reply
  • gdmaclew
    Windows 10 I love thee...let me count the ways.
    Reply
  • Colif
    Windows 12 will be win 11 with a different UI, just as every previous version of windows has been going back to win xp.
    So don't expect miracles from it. It won't be any different. They just build on the remains of the previous each time.
    Win 11 is just win 10 with a face lift.
    win 10 is just win 8.1...
    I could go on.

    Why anyone thinks one version is better than next or previous makes me wonder.
    bitlocker in 10, maybe it get same patches...
    Reply
  • ex_bubblehead
    Colif said:
    ....bitlocker in 10, maybe it get same patches...
    BitLocker in Windows 10 doesn't (currently) rely on the instructions causing the problem in Windows 11. If that gets backported then all H.E. double hockey sticks will break loose. We've got thousands of encrypted laptops here at the bank that could potentially be affected.
    Reply
  • Colif
    oh, ok. I don't use it so I didn't know :)
    Reply
  • ThatMouse
    How do you know if your data is damaged?
    Reply
  • ex_bubblehead
    ThatMouse said:
    How do you know if your data is damaged?
    You lose ALL access to the encrypted volume/s instantaneously. There is no recovery from this other than to revert to backups.
    Reply