Windows 10: Enabling Bitlocker with UEFI Secure Boot enabled renders the device unbootable

Hi all,

Wondering if some of you may be able to shed some light on this. We've been enabling Bitlocker on some client machines, but have been finding that with this enabled, and the device rebooted, the device can no longer see the bootable device, so gets stuck in the BIOS. The only work around we have at the moment is to disable secure boot.

All machines have a TPM chip, and pass the checks. And I am under the impression that Secure Boot should be absolutely fine with Bitlocker encryption. So what gives?

submitted by /u/Razgriz-375
[link] [comments]

:)

 

UEFI Admin Password needed if BitLocker is enabled?

Just a quick question. I have enabled BitLocker with TPM-Only protector and was just wondering if I need to set an Admin BIOS/UEFI password to prevent someone from changing the UEFI settings. I also have Secure Boot enabled as well along with the following BitLocker protection policies below.

In my UEFI boot settings, I have Windows Boot Mannager and then my Internal HDD as the boot order.
Boot from external media is enabled, because I tend to reinstall Windows from my Windows 10 bootable USB flash drive.

With all these below BitLocker settings and policies, do I really need to set an Admin or Supervisor password to prevent an attacker from changing the UEFI settings in case the laptop gets stolen?

My current BitLocker protection settings from the Windows 10 v1803 Security Baseline.

Disable new DMA devices when this computer is locked:
Enabled

Allow Secure Boot for integrity validation:
Enabled



https://support.microsoft.com/en-us/...-reduce-1394-d

Prevent installation of devices that match any of these device IDs
PCI\CC_0C0A

Prevent installation of devices using drivers for these device setup classes:
{d48179be-ec20-11d1-b6b8-00c04fa372a7}

 

Bitlocker vague error message enabling on boot drive

Trying to enable bitlocker on my boot drive:

I have a TPM chip installed and cleared and in the TPM MMC console this shows as ready for use

I have UEFI boot enabled and confirm that msinfo32 shows boot mode as UEFI

I have GPT Partition on my boot disk (I did have to convert this using the mbr2gpt utility)

When I try to enable bitlocker on c: drive it comes back with very unhelpful error "The data is invalid" after doing some checks.

When I try to enable I see in the event log event ID811 from source Bitlocker-API

"BitLocker cannot use Secure Boot for integrity because the required UEFI variable 'PK' is not present."

Any ideas here? This is Windows 10 1709 build

Thanks

 

UEFI bios enabled but no secure boot on windows 10?


I would go with what is showing in the Bios. If it says that the secure boot keys are loaded then it is on. I'm running the insider build and under System info it says secure boot is unsupported, but it is on and the keys are loaded in my UEFI BIOS. I think this is what the OP is saying. The only other thing that came to mind is if bitlocker was confused with secure boot, they are totally different. To check system info WIN + R type msinfo32 , hit OK.

This is a partial listing.