I recently did a fresh install on my new rig with its ASUS ProArt X670E Creator Wifi board and for the life of me I’m unable to get Bitlocker to not keep booting into recovery mode everytime when I disable secure boot in the UEFI settings.
My older rig with its ASUS PRIME TRX40 Pro-S and currently running Win11 Pro 23H2 edition has Bitlocker working just fine with secure boot disabled in the UEFI.
Now I don’t recall if I installed the older OS after modifying it via Rufus to make secure boot optional (I didn’t do this for the new install) so wanted to check whether anyone here knows why I’m facing this difference in behaviour.
I swear I read online secure boot is optional for Bitlocker so wondering whether Win11 Pro 24H2 has changed the requirement or there’s some issue with my new mobo UEFI settings or some other PEBKAC thing.
it is… but you are violating the secure environment by disable secure boot and thus triggering:
The point of BitLocker is to encrypt the drive when someone attempts to access from an untrusted computer.
If I take the drive from you and plug it into my machine then access the drive without entering an unlock key, then why use it beyond the performance loss?
That’s what you are doing when disabling Secure Boot.
Hey!
I respecfully (kinda) disagree… yes disabling secure boot violates secure environment but you still have your drive contents encrypted if your machine is say lost/stolen hence the setting being optional.
Side note the reason why I disable secure boot is I multi-boot various Linux installations and already facing boot issues which I need to look into whether I can work around, but this is besides the point of my question - which is whether anyone knows if this is an issue with my mobo UEFI settings, the new Win11 Pro 24H2 release, or something I’m doing wrong.
Cheers!
It is working exactly as designed.
If you want to use it how you describe, then reinstall with secure boot disabled.
The correct way to do what you desire is simply enroll the boot keys for each installation onto the TPM.
2 Likes
Ah! Maybe that’s it! I should have left secure boot disabled at the time of installation? Is there any way to get Windows to change its stubborn mind? Some setting somewhere like in the Registry?
And yup I’ve had to enroll the key for at least the Ventoy tool (ventoy.net) to get it to work.
Will likely need to do the same to get my openSUSE Tumbleweed install to boot too.
Thankfully my preferred distros (ubuntu based) elementary OS and KDE neon don’t complain.
Thanks!
1 Like
Not that I am aware of, nor would I recommend…
I do know you need to install 23H2 then upgrade in place to 24H2 using the modifier .wim declaring Windows Server on unsupported hardware (flag set when installed with secure boot disabled), unless someone figured out a workaround in the last week.
1 Like
Just for reference:
Seems like disabling the TPM PCR 4 (platform config register for boot manager) option in group policy editor resolved this issue - fingers crossed.
Located in group policy editor → computer config → admin templates → windows components → bitlocker drive encryption → os drives → config TPM for UEFI.
1 Like
Edit: just read your last message, that makes a lot of sense, since Windows had Secure Boot available to begin with to enforce Bitlocker and TPM. My suggestions may work if you still want to use the TPM, but not Secure Boot. Glad to see that you have it sorted out!
I thought Secure Boot was just to ensure that the boot was signed. Don’t think it has anything to do with Bitlocker itself. Think that the config sequence is already stuck. Since you already installed Windows with Secure Boot as part of your config I would:
- Remove/Deactivate Bitlocker (only temporarily) for your drive(s)
- Disable Secure Boot at a UEFI/BIOS level
- Reinstall Windows with the setup flag “/product server”. (I have a development VM without it and it works good, however I had to reinstall programs, YMMV)
- Once that’s done, reactivate/enable Bitlocker on your drive(s)
The “/product server” flag still works!
1 Like
Yup, disabling TPM PCR 4 doesn’t disable the entire TPM, which is required for Bitlocker.
Yeah I see now, PCR is a specific register and use of TPM for securing the system. More on that here: Understand PCR banks on TPM 2.0 devices | Microsoft Learn
1 Like