Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doc: Windows 11 Secure Boot preinstalled laptops #2474

Open
2 tasks done
rb0022 opened this issue May 6, 2024 · 1 comment
Open
2 tasks done

Doc: Windows 11 Secure Boot preinstalled laptops #2474

rb0022 opened this issue May 6, 2024 · 1 comment

Comments

@rb0022
Copy link

rb0022 commented May 6, 2024
edited

Checklist

  • I looked at https://github.com/pbatard/rufus/wiki/FAQ to see if my question has already been answered.
  • I performed a search in the issue tracker for similar issues using keywords relevant to my problem, such as the error message I got from the log.
  • N/A I clicked the 'Log' button (🗒️) or pressed Ctrl-L in Rufus, or used DebugView, and copy/pasted the log into the section that says <FULL LOG> below.
  • N/A The log I am copying is the FULL log, starting with the line Rufus version: x.y.z - I have NOT removed any part of it.

Issue description

Documentation improvement required for Windows 11 Secure Boot preinstalled laptops. While the current documentation provides reasoning, it does not specifically document keywords and clear instructions on the options for an end-user.

Cite issue #2137 which provides some context on the current state of laptops preinstalled with Windows 11, notably the Microsoft Surface series. However this appears to be a growing trend, and while it is not possible to cover all personal computing vendors - an effort should be made to provide clear information to end-users.

Initial draft of suggested documentation

Unfortunately, Microsoft has determined mulitple tiers of the "Universal" UEFI Secure Boot Specification which has an impact across many personal computing vendors.

The UEFI Boot Configuration of many vendors will show a similar list of options to the following:

  1. Microsoft Windows only
  2. Microsoft UEFI Certification Authority (including 3rd Party CA)
  3. None

Examples such as Samsung Galaxy Book2/3 Pro devices, provide Secure Boot Control on/off and a separate selection for Secure Boot Certificate Keyset. These examples are infrequently documented and will vary for each device (even for devices using common firmware from American Megatrends International), and only screenshots of these devices will show what terms are used. However the list is explicitly shown in Microsoft Surface documentation:
https://learn.microsoft.com/en-us/surface/manage-surface-uefi-settings#uefi-security-page

For Hyper-V hypervisor Virtual Machines, this is similar with the addition of 'Linux Shielded VM Template', as seen in Hyper-V documentation:
https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#secure-boot-setting-in-hyper-v-manager

For end-users with new devices seeking to use Windows 11 BitLocker (described on Windows 11 Home edition as 'Device Encryption'), the latest BitLocker encryption requires TPM 2.0 which requires Secure Boot to be enabled. Therefore if an end-user wishes to encrypt their data, Secure Boot must be enabled and this may stop boot of any OS installation created using Rufus.

If the device is new with no data and not yet encrypted, it is recommended to first perform UEFI Configuration and select the option that does not limit the device to only Microsoft Windows (such as Option 2 above, but the description may differ for each vendor).

If the device has already been encrypted, it is recommended to check and save the BitLocker Recovery Key before taking any action. There are various options available here, and it is likely the BitLocker Recovery Key is also synchronised to a Microsoft Account if the laptop is not using a Local Account only. Expect to enter the BitLocker Recovery Key after changing the Secure Boot configuration. For more information, please see:
https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6

As Rufus 3.17 or later uses UEFI:NTFS with Secure Boot signed, any OS created should now boot with the device and Windows 11 should now boot with BitLocker encryption.

Please refer to Rufus FAQ "Why do I need to disable Secure Boot to use UEFI:NTFS?" which describes the history of Rufus and Secure Boot.

For reference purposes, example images are shown below.

Samsung Galaxy Book3 Pro:

20230204%EF%BC%BF214412

Microsoft Surface Book:
manage-surface-uefi-fig3

Hyper-V:
secure_boot_ubuntu
@pineapple63
Copy link

It appears dell has yet another variation on the secure boot settings (athough it appears dell devices may have the CA enabled by default, or at least the device this screenshot came from had it enabled out of the box)
IMG_0234

With dell devices, there is another (minor) thing i ran into which may hinder an attempt to reinstall windows (this is technically not a secure boot issue, but could prevent the internal drive from being detected by the installer), Dell devices seem to have RAID enabled out of the box, even for devices with just a single SSD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pineapple63 @rb0022