Windows 10: How to enable BitLocker when booting from another boot manager?

I have ThinkPad P1 Gen 3 laptop and I dual boot Linux and Windows 10. For that I want to use a boot manager that supports booting both OS-es (Windows Boot Manager doesn't support that). I also want to have Secure Boot on and have my Windows partition encrypted using BitLocker. The problem I have is that when I boot Windows using another boot manager (I tried both rEFInd and systemd-boot) BitLocker support is disabled. I see that the reason for this is PCR7 binding not working - System Information says: PCR7 Configuration: Binding Not Possible Device Encryption Support: Reasons for failed automatic device encryption: PCR7 binding is not supported; Un-allowed DMA capable bus/device(s) detected When I boot Windows directly from UEFI (UEFI -> Windows Boot Manager) instead of using a third-party boot manager (UEFI -> Another boot manager -> Windows Boot Manager) I don't have those problems and BitLocker support works fine. I'm not a Windows expert and I don't know neither what PCR7 nor TPM is. I cannot find any resources on the internet that would explain how those things work nor how to fix the problem, so I came here. Can someone explain me what's the problem here? Why Windows cannot establish this PCR7 binding when I boot it using another boot manager? Can I somehow fix that?

:)

 

Bitlocker vague error message enabling on boot drive

Trying to enable bitlocker on my boot drive:

I have a TPM chip installed and cleared and in the TPM MMC console this shows as ready for use

I have UEFI boot enabled and confirm that msinfo32 shows boot mode as UEFI

I have GPT Partition on my boot disk (I did have to convert this using the mbr2gpt utility)

When I try to enable bitlocker on c: drive it comes back with very unhelpful error "The data is invalid" after doing some checks.

When I try to enable I see in the event log event ID811 from source Bitlocker-API

"BitLocker cannot use Secure Boot for integrity because the required UEFI variable 'PK' is not present."

Any ideas here? This is Windows 10 1709 build

Thanks

 

Preparing Automatic repair on boot when bitlocker is enabled

Hello, I'm having trouble getting bitlocker to work on my new drive.

The drive is Intel pro 6000p, which is a self encrypting drive. I have eDrive enabled and did a fresh windows install on it.

I then enabled bitlocker with a password, so to integrate with the self encrypting feature. I could confirm bitlocker was enabled by entering "manage-bde -status", which reported hardware encryption and protection on.

But after that, whenever I boot it just go straight into "Preparing Automatic Repair", then follow by enter Bitlocker recovery key screen. No prompt for a password.

I tried repairing it with the Windows media and the correct recovery key, but automatic repair was not successful.

I was able to get back into Windows, by unlocking the drive in advanced option-->command prompt, using "manage-bde -unlock C: -pw". The system seems fine so I don't think there is a corruption in file. After disabling bitlocker in control panel (or
via command prompt) the system boots normal again.

Note: Fast boot is OFF, CSM is OFF, secure boot is ON, no other drive is present.

Please I need your help. I did everything clean and tidy, I just want it to work!

 

Windows boot manager

There could be some system conflict triggered after the said changes. To help you with your concern, we suggest that you perform a clean boot. A
clean boot is performed to start Windows by using a minimal set of drivers and startup programs. This will help to determine what is causing the issue on the Windows boot manager. To do this, click on this
link and scroll down to the
How to determine what is causing the problem by performing a clean boot section then follow the steps listed..

Note: If the installation is successful and the issue has been resolved. Please go through the section “How to reset the computer to start as usual” to reset your computer to the normal startup.

Let us know how it goes after performing the suggested steps.