Windows 10: Secure Boot and Bitlocker

Discus and support Secure Boot and Bitlocker in AntiVirus, Firewalls and System Security to solve the problem; If I have BitLocker enabled on my system, do I have to enable Secure Boot as well? If BitLocker is enabled, does that mean I must enable Secure... Discussion in 'AntiVirus, Firewalls and System Security' started by win10freak, Aug 9, 2017.

  1. Secure Boot and Bitlocker


    If I have BitLocker enabled on my system, do I have to enable Secure Boot as well?

    If BitLocker is enabled, does that mean I must enable Secure Boot?

    Or, can I just leave Secure Boot disabled?

    :)
     
    win10freak, Aug 9, 2017
    #1

  2. bitlocker

    I have a t100 taf transformer notebook. lost my recovery drive and the 32 g harddrive has secure boot enabled with bitlocker when I remove secure boot on restart it asksme for a bitlocker key which I don't have
     
    twomilepost, Aug 9, 2017
    #2
  3. Bitlocker Secure Boot unavailable.

    Hi,

    Your issue with BitLocker is more complex than what usually handled here in Answers forum. We recommend posting your issue on

    TechNet forum
    to get better assistance from IT Professionals.

    You could also try checking this link
    to read some BitLocker frequently asked questions (FAQ).

    Regards.
     
    Nathaniel Mon, Aug 9, 2017
    #3
  4. lx07 Win User

    Secure Boot and Bitlocker

    You don't need secure boot. You can have it on or off as you wish.

    If you change the secure boot setting (on to off or vv) though by fiddling with the BIOS settings it will trigger a change that requires your whole 48 digit bitlocker key to be entered so if you want to change it suspend bitlocker and then restart (so you can make your BIOS change).

    You need to do the same "suspend bitlocker/reboot" cycle for any other BIOS change that impacts on boot.
     
    lx07, Aug 9, 2017
    #4
  5. So it's always best to enable Secure Boot BEFORE turning ON BitLocker?

    Thanks for the quick response.
     
    win10freak, Aug 9, 2017
    #5
  6. lx07 Win User
    Doesn't matter either way.

    I leave it off as I like to boot from USB sometimes so I don't like secure boot.

    The only thing to consider is if you want to change it (either from "on to off" or "off to on") then you'll need to suspend bitlocker before you do or bitlocker will prompt you for a recovery key as it saw a change in boot setup.

    Once bitlocker is running it will be OK until you change something (change a BIOS setting, try to boot from a different disk etc).
     
    lx07, Aug 9, 2017
    #6
  7. One more final question which may be a bit off topic.

    Since my system is fully encrypted with BitLocker, would it be fine to leave the UEFI firmware password as not set or disabled? Do I really need to set a UEFI password even if my system is fully encrypted?
     
    win10freak, Aug 9, 2017
    #7
  8. DavidY Win User

    Secure Boot and Bitlocker

    Just a note that for devices which are using Device Encryption (which isn't the same as Bitlocker but uses the same underlying technology), I believe you do need to have Secure Boot enabled.
    Device Encryption is available on all versions of Windows 10, even W10 Home (which doesn't support Bitlocker), as long as the hardware supports certain requirements - for instance I believe the system drive must be on a 'non-rotational disk' (eg. an SSD).
     
    DavidY, Aug 9, 2017
    #8
  9. So your saying I need to have Secure Boot enabled with BitLocker as well?

    By the way, I would like to just have BitLocker ask for the recovery key instead of the Suspend option.

    What about UEFI password?
     
    win10freak, Aug 9, 2017
    #9
  10. DavidY Win User
    Not if you have Windows 10 Pro or one of the other versions where Bitlocker is a feature. Bitlocker itself works fine without Secure Boot. It's only the Device Encryption which seems to need Secure Boot.
    If you were going to change anything significant such as Secure Boot status, then yes I would suspend it. It's safer to suspend it than find it asking for a recovery key because you didn't. I would make sure you know that recovery key in any case though.

    I don't think it's required. Personally I wouldn't set it but that's just me.
     
    DavidY, Aug 9, 2017
    #10
  11. By the way, I would like to just have BitLocker ask for the recovery key instead of the Suspend option.

    I have the recovery key on a USB stick so that way I can just insert it and BitLocker will automatically unlock the drive.

    Here is the reason why....
    BitLocker Frequently Asked Questions (FAQ)

    Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted , the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
     
    win10freak, Aug 9, 2017
    #11
  12. lx07 Win User
    You don't have to suspend bitlocker protection if you are planning a change to your BIOS - certainly you can enter the recovery key. Indeed if you don't suspend it you will be asked for the key and I know for sure that it works as sometimes I forget to suspend it.

    The thing is that if you change a setting in your BIOS then your TPM (or USB) will not auto-unlock it so you will be forced to manually type in the full recovery key. This is the really long one you see in red here from the file you get when you save it: Code: BitLocker Drive Encryption recovery key To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC. Identifier: 7F907225-EA35-48A1-AC2E-BCC2C8B54524 If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive. Recovery Key: 534787-075230-603179-334334-685311-285032-169356-608751 If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive. Try another recovery key, or refer to https://go.microsoft.com/fwlink/?LinkID=260589 for additional assistance.[/quote]
    If you are planning to reboot to change some BIOS option it just makes life easier to suspend bitlocker as you don't have to type in this long number - after reboot the key is again protected.

    If you suspend bitlocker through the GUI (like in option 1 in the link below) it will be enabled after the next reboot so you can suspend it, make your change and it is automatically enabled (and the key no longer stored in clear).

    Incidentally, you can also use powershell as described in option 4 of the link below to ask the system to not re-enable protection for an arbitrary number of reboots.

    For example Suspend-BitLocker -MountPoint "C:" -RebootCount 5 will not resume protection for 5 reboots. I honestly can't imagine a situation you would want to do that but you could do it I guess.

    Suspend or Resume BitLocker Protection for Drive in Windows 10 Windows 10 Security System Tutorials
     
Thema:

Secure Boot and Bitlocker

Loading...
  1. Secure Boot and Bitlocker - Similar Threads - Secure Boot Bitlocker

  2. Bitlocker security

    in Windows 10 Gaming
    Bitlocker security: Have an SSD on a DELL XPS. When turning on Bitlocker on the SSD I am not given the option of creating a password for drive C:. Only creating a Recovery key. When turning on Bitlocker on an HHD D: I can choose to create a password as well as a recovery key. If "auto unlock" is...
  3. Bitlocker security

    in Windows 10 Software and Apps
    Bitlocker security: Have an SSD on a DELL XPS. When turning on Bitlocker on the SSD I am not given the option of creating a password for drive C:. Only creating a Recovery key. When turning on Bitlocker on an HHD D: I can choose to create a password as well as a recovery key. If "auto unlock" is...
  4. Change bitlocker secure boot policy

    in Windows 10 Software and Apps
    Change bitlocker secure boot policy: Hi,I currently have Windows 11 Pro with BitLocker enabled and requiring a key/passcode on boot.Now I frequently want to boot my laptop from PXE over the network and to do this I need to keep turning off secure boot. If I turn off secure boot I can't then re-boot back into...
  5. Change bitlocker secure boot policy

    in Windows 10 Gaming
    Change bitlocker secure boot policy: Hi,I currently have Windows 11 Pro with BitLocker enabled and requiring a key/passcode on boot.Now I frequently want to boot my laptop from PXE over the network and to do this I need to keep turning off secure boot. If I turn off secure boot I can't then re-boot back into...
  6. Bitlocker security

    in AntiVirus, Firewalls and System Security
    Bitlocker security: I am unable to find my bitlocker security key.I have been tying for hours but I am unable to get the code . I am pretty sure that others may be habingo the same issues https://answers.microsoft.com/en-us/windows/forum/all/bitlocker-security/df70bd8d-dde5-411e-9701-68fa9e662de5
  7. Using BitLocker when secure boot is disabled

    in AntiVirus, Firewalls and System Security
    Using BitLocker when secure boot is disabled: Hello, I would like to know if I turned off Secure boot in windows 10 will I be able to have encrypted drives that do not require a user to enter a boot password. I am currently using an endpoint software for DLP policy and it does not work with secure boot on. If I turn if...
  8. Security and a bitlocker

    in AntiVirus, Firewalls and System Security
    Security and a bitlocker: Somehow or another I am not the administrator in my own computer I cannot run bit locker and it says I require additional authentication at start up says this device cannot use a trusted platform module your admin must set to allow bit locker without compatible TPM how do I...
  9. How Secure Is Bitlocker?

    in AntiVirus, Firewalls and System Security
    How Secure Is Bitlocker?: I have read, on the Internet, that Bitlocker can be got into, without using the password, by 'experts using encryption breaking tools. I use a 13 part password, incorporating upper case & lower case letters, numbers and special (punctuation?) symbols. So, just how...
  10. BitLocker and Secure Boot questions

    in AntiVirus, Firewalls and System Security
    BitLocker and Secure Boot questions: Secure Boot 1. I had been hesitant enabling Secure Boot because I am just afraid it might cause issues and slow down my laptop's boot time. Secondly, if I reinstall Windows 10 using my bootable USB flash drive, will I have to disable Secure Boot temporarily before...
Tags: