Windows Bitlocker + Win11 Pro 24H2 edition = Secure Boot is mandatory???

[vishalrao]

I recently did a fresh install on my new rig with its ASUS ProArt X670E Creator Wifi board and for the life of me I'm unable to get Bitlocker to not keep booting into recovery mode everytime when I disable secure boot in the UEFI settings.

My older rig with its ASUS PRIME TRX40 Pro-S and currently running Win11 Pro 23H2 edition has Bitlocker working just fine with secure boot disabled in the UEFI.

Now I don't recall if I installed the older OS after modifying it via Rufus to make secure boot optional (I didn't do this for the new install) so wanted to check whether anyone here knows why I'm facing this difference in behaviour.

I swear I read online secure boot is optional for Bitlocker so wondering whether Win11 Pro 24H2 has changed the requirement or there's some issue with my new mobo UEFI settings or some other PEBKAC thing.

 

[nRiTeCh]

View attachment 214518

 

[vishalrao]

View attachment 214518

Please post link to source. The wording is misleading... Yes, secure boot feature is mandatory but NOT mandatory to enable it for Bitlocker to work.

 

[theagilecoder]

ASUS ProArt X670E Creator Wifi board

Damn thats an expensive board !

 

[vishalrao]

Damn thats an expensive board !

Yeah it's a middle-ground option... my preferred choice was a cheaper ASUS PRIME PRO variant wasn't available - and the latest X870E variant with fancy stuff like WiFi 7 (320mhz channel width and MLO etc) was even more expensive and also risky for linux compatibility (wifi definitely doesn't work currently). At least this mobo supposedly has better quality components (caps, VRMs etc) and linux (even older ubuntu 24.04 LTS based kernel 6.8) is working flawlessly on it. Didn't bother looking at MSI/Gigabyte either - didn't want to risk linux issues mainly.

I recently did a fresh install on my new rig with its ASUS ProArt X670E Creator Wifi board and for the life of me I'm unable to get Bitlocker to not keep booting into recovery mode everytime when I disable secure boot in the UEFI settings.

My older rig with its ASUS PRIME TRX40 Pro-S and currently running Win11 Pro 23H2 edition has Bitlocker working just fine with secure boot disabled in the UEFI.

Now I don't recall if I installed the older OS after modifying it via Rufus to make secure boot optional (I didn't do this for the new install) so wanted to check whether anyone here knows why I'm facing this difference in behaviour.

I swear I read online secure boot is optional for Bitlocker so wondering whether Win11 Pro 24H2 has changed the requirement or there's some issue with my new mobo UEFI settings or some other PEBKAC thing.

OK an interesting comment from someone on another forum - maybe I should have had secure boot option disabled BEFORE (during) installation of Win11 Pro 24H2 so that it would work without issues.

Now I can reformat everything and reinstall to see whether this is true or not, but before I proceed to do that, does anyone know of a way to fix this issue via a Windows setting like maybe in the Registry or something like that?

 

[DigitalDude]

I don't use bitlocker encryption and just installed Windows 11 while disabling the usual stuff (like secure boot etc). Using an autounattend.xml file that can be configured to our needs from this website https://schneegans.de/windows/unattend-generator/

if you don't want to do it fresh check out this popular utility if it has any such option. I have not used it yet. https://github.com/ChrisTitusTech/winutil

btw just out of curiosity do you require bitlocker encryption for work purposes?

 

[vishalrao]

Yep for office work.

Just for reference:

Seems like disabling the TPM PCR 4 (platform config register for boot manager) option in group policy editor resolved this issue - fingers crossed.

Located in group policy editor -> computer config -> admin templates -> windows components -> bitlocker drive encryption -> os drives -> config TPM for UEFI.