You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I performed a search in the issue tracker for similar issues using keywords relevant to my problem, such as the error message I got from the log.
N/A I clicked the 'Log' button (🗒️) or pressed Ctrl-L in Rufus, or used DebugView, and copy/pasted the log into the section that says <FULL LOG> below.
N/A The log I am copying is the FULL log, starting with the line Rufus version: x.y.z - I have NOT removed any part of it.
Issue description
Documentation improvement required for Windows 11 Secure Boot preinstalled laptops. While the current documentation provides reasoning, it does not specifically document keywords and clear instructions on the options for an end-user.
Cite issue #2137 which provides some context on the current state of laptops preinstalled with Windows 11, notably the Microsoft Surface series. However this appears to be a growing trend, and while it is not possible to cover all personal computing vendors - an effort should be made to provide clear information to end-users.
Initial draft of suggested documentation
Unfortunately, Microsoft has determined mulitple tiers of the "Universal" UEFI Secure Boot Specification which has an impact across many personal computing vendors.
The UEFI Boot Configuration of many vendors will show a similar list of options to the following:
Microsoft Windows only
Microsoft UEFI Certification Authority (including 3rd Party CA)
None
Examples such as Samsung Galaxy Book2/3 Pro devices, provide Secure Boot Control on/off and a separate selection for Secure Boot Certificate Keyset. These examples are infrequently documented and will vary for each device (even for devices using common firmware from American Megatrends International), and only screenshots of these devices will show what terms are used. However the list is explicitly shown in Microsoft Surface documentation: https://learn.microsoft.com/en-us/surface/manage-surface-uefi-settings#uefi-security-page
For end-users with new devices seeking to use Windows 11 BitLocker (described on Windows 11 Home edition as 'Device Encryption'), the latest BitLocker encryption requires TPM 2.0 which requires Secure Boot to be enabled. Therefore if an end-user wishes to encrypt their data, Secure Boot must be enabled and this may stop boot of any OS installation created using Rufus.
If the device is new with no data and not yet encrypted, it is recommended to first perform UEFI Configuration and select the option that does not limit the device to only Microsoft Windows (such as Option 2 above, but the description may differ for each vendor).
If the device has already been encrypted, it is recommended to check and save the BitLocker Recovery Key before taking any action. There are various options available here, and it is likely the BitLocker Recovery Key is also synchronised to a Microsoft Account if the laptop is not using a Local Account only. Expect to enter the BitLocker Recovery Key after changing the Secure Boot configuration. For more information, please see: https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6
As Rufus 3.17 or later uses UEFI:NTFS with Secure Boot signed, any OS created should now boot with the device and Windows 11 should now boot with BitLocker encryption.
It appears dell has yet another variation on the secure boot settings (athough it appears dell devices may have the CA enabled by default, or at least the device this screenshot came from had it enabled out of the box)
With dell devices, there is another (minor) thing i ran into which may hinder an attempt to reinstall windows (this is technically not a secure boot issue, but could prevent the internal drive from being detected by the installer), Dell devices seem to have RAID enabled out of the box, even for devices with just a single SSD
Checklist
<FULL LOG>
below.Rufus version: x.y.z
- I have NOT removed any part of it.Issue description
Documentation improvement required for Windows 11 Secure Boot preinstalled laptops. While the current documentation provides reasoning, it does not specifically document keywords and clear instructions on the options for an end-user.
Cite issue #2137 which provides some context on the current state of laptops preinstalled with Windows 11, notably the Microsoft Surface series. However this appears to be a growing trend, and while it is not possible to cover all personal computing vendors - an effort should be made to provide clear information to end-users.
Initial draft of suggested documentation
Unfortunately, Microsoft has determined mulitple tiers of the "Universal" UEFI Secure Boot Specification which has an impact across many personal computing vendors.
The UEFI Boot Configuration of many vendors will show a similar list of options to the following:
Examples such as Samsung Galaxy Book2/3 Pro devices, provide Secure Boot Control on/off and a separate selection for
Secure Boot Certificate Keyset
. These examples are infrequently documented and will vary for each device (even for devices using common firmware from American Megatrends International), and only screenshots of these devices will show what terms are used. However the list is explicitly shown in Microsoft Surface documentation:https://learn.microsoft.com/en-us/surface/manage-surface-uefi-settings#uefi-security-page
For Hyper-V hypervisor Virtual Machines, this is similar with the addition of 'Linux Shielded VM Template', as seen in Hyper-V documentation:
https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#secure-boot-setting-in-hyper-v-manager
For end-users with new devices seeking to use Windows 11 BitLocker (described on Windows 11 Home edition as 'Device Encryption'), the latest BitLocker encryption requires TPM 2.0 which requires Secure Boot to be enabled. Therefore if an end-user wishes to encrypt their data, Secure Boot must be enabled and this may stop boot of any OS installation created using Rufus.
If the device is new with no data and not yet encrypted, it is recommended to first perform UEFI Configuration and select the option that does not limit the device to only Microsoft Windows (such as Option 2 above, but the description may differ for each vendor).
If the device has already been encrypted, it is recommended to check and save the BitLocker Recovery Key before taking any action. There are various options available here, and it is likely the BitLocker Recovery Key is also synchronised to a Microsoft Account if the laptop is not using a Local Account only. Expect to enter the BitLocker Recovery Key after changing the Secure Boot configuration. For more information, please see:
https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6
As Rufus 3.17 or later uses UEFI:NTFS with Secure Boot signed, any OS created should now boot with the device and Windows 11 should now boot with BitLocker encryption.
Please refer to Rufus FAQ "Why do I need to disable Secure Boot to use UEFI:NTFS?" which describes the history of Rufus and Secure Boot.
For reference purposes, example images are shown below.
Samsung Galaxy Book3 Pro:
Microsoft Surface Book:
Hyper-V:
The text was updated successfully, but these errors were encountered: