Secure Boot and Bitlocker

  1.    10 Aug 2017 #1

    Secure Boot and Bitlocker

    If I have BitLocker enabled on my system, do I have to enable Secure Boot as well?

    If BitLocker is enabled, does that mean I must enable Secure Boot?

    Or, can I just leave Secure Boot disabled?
      My ComputerSystem Spec

  2.    10 Aug 2017 #2

    You don't need secure boot. You can have it on or off as you wish.

    If you change the secure boot setting (on to off or vv) though by fiddling with the BIOS settings it will trigger a change that requires your whole 48 digit bitlocker key to be entered so if you want to change it suspend bitlocker and then restart (so you can make your BIOS change).

    You need to do the same "suspend bitlocker/reboot" cycle for any other BIOS change that impacts on boot.
      My ComputerSystem Spec

  3.    10 Aug 2017 #3

    So it's always best to enable Secure Boot BEFORE turning ON BitLocker?

    Thanks for the quick response.
      My ComputerSystem Spec

  4.    10 Aug 2017 #4

    Doesn't matter either way.

    I leave it off as I like to boot from USB sometimes so I don't like secure boot.

    The only thing to consider is if you want to change it (either from "on to off" or "off to on") then you'll need to suspend bitlocker before you do or bitlocker will prompt you for a recovery key as it saw a change in boot setup.

    Once bitlocker is running it will be OK until you change something (change a BIOS setting, try to boot from a different disk etc).
      My ComputerSystem Spec

  5.    10 Aug 2017 #5

    One more final question which may be a bit off topic.

    Since my system is fully encrypted with BitLocker, would it be fine to leave the UEFI firmware password as not set or disabled? Do I really need to set a UEFI password even if my system is fully encrypted?
      My ComputerSystem Spec

  6. Posts : 1,503
    Windows 10 Pro (32-bit) 16299.15
       10 Aug 2017 #6

    Just a note that for devices which are using Device Encryption (which isn't the same as Bitlocker but uses the same underlying technology), I believe you do need to have Secure Boot enabled.
    Device Encryption is available on all versions of Windows 10, even W10 Home (which doesn't support Bitlocker), as long as the hardware supports certain requirements - for instance I believe the system drive must be on a 'non-rotational disk' (eg. an SSD).
      My ComputerSystem Spec

  7.    10 Aug 2017 #7

    So your saying I need to have Secure Boot enabled with BitLocker as well?

    By the way, I would like to just have BitLocker ask for the recovery key instead of the Suspend option.

    What about UEFI password?
      My ComputerSystem Spec

  8. Posts : 1,503
    Windows 10 Pro (32-bit) 16299.15
       10 Aug 2017 #8

    win10freak said: View Post
    So your saying I need to have Secure Boot enabled with BitLocker as well?
    Not if you have Windows 10 Pro or one of the other versions where Bitlocker is a feature. Bitlocker itself works fine without Secure Boot. It's only the Device Encryption which seems to need Secure Boot.
    win10freak said: View Post
    If so, then will I need to Suspend BitLocker?
    If you were going to change anything significant such as Secure Boot status, then yes I would suspend it. It's safer to suspend it than find it asking for a recovery key because you didn't. I would make sure you know that recovery key in any case though.

    win10freak said: View Post
    What about UEFI password?
    I don't think it's required. Personally I wouldn't set it but that's just me.
      My ComputerSystem Spec

  9.    10 Aug 2017 #9

    By the way, I would like to just have BitLocker ask for the recovery key instead of the Suspend option.

    I have the recovery key on a USB stick so that way I can just insert it and BitLocker will automatically unlock the drive.

    Here is the reason why....
    BitLocker Frequently Asked Questions (FAQ)

    Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted , the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
      My ComputerSystem Spec

  10.    11 Aug 2017 #10

    You don't have to suspend bitlocker protection if you are planning a change to your BIOS - certainly you can enter the recovery key. Indeed if you don't suspend it you will be asked for the key and I know for sure that it works as sometimes I forget to suspend it.

    The thing is that if you change a setting in your BIOS then your TPM (or USB) will not auto-unlock it so you will be forced to manually type in the full recovery key. This is the really long one you see in red here from the file you get when you save it:
    BitLocker Drive Encryption recovery key 
    To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.
    If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.
    Recovery Key:
    If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.
    Try another recovery key, or refer to for additional assistance.

    If you are planning to reboot to change some BIOS option it just makes life easier to suspend bitlocker as you don't have to type in this long number - after reboot the key is again protected.

    If you suspend bitlocker through the GUI (like in option 1 in the link below) it will be enabled after the next reboot so you can suspend it, make your change and it is automatically enabled (and the key no longer stored in clear).

    Incidentally, you can also use powershell as described in option 4 of the link below to ask the system to not re-enable protection for an arbitrary number of reboots.

    For example Suspend-BitLocker -MountPoint "C:" -RebootCount 5 will not resume protection for 5 reboots. I honestly can't imagine a situation you would want to do that but you could do it I guess.

    Suspend or Resume BitLocker Protection for Drive in Windows 10 Windows 10 Security System Tutorials
      My ComputerSystem Spec


Related Threads
BitLocker and Secure Boot questions in AntiVirus, Firewalls and System Security
Secure Boot 1. I had been hesitant enabling Secure Boot because I am just afraid it might cause issues and slow down my laptop's boot time. Secondly, if I reinstall Windows 10 using my bootable USB flash drive, will I have to disable Secure Boot...
Hei, So I'm the guy who tried to move from Legacy to UEFI some days ago. I managed to move both Ubuntu and W10 to UEFI. More info on both of the situations here: Solved Can't boot into UEFI mode - Lenovo Z50-70 - Windows 10 Forums ...
How Secure Is Bitlocker? in AntiVirus, Firewalls and System Security
I have read, on the Internet, that Bitlocker can be got into, without using the password, by 'experts using encryption breaking tools. I use a 13 part password, incorporating upper case & lower case letters, numbers and special (punctuation?)...
Boot mode uefi with secure boot disable in Installation and Upgrade
Ok im about to upgrade to win 10 then do a clean install afterwards of win 10, but i wanted to assure i have everything correct before i start. I updated again my profile with Belarc to assure i have a completed list of my software, i notice this...
Solved Turning off secure boot/fast boot required? in Installation and Upgrade
As I get ready to do a clean install of 10074 I am curious about the need to disable secure boot and fast boot options. If I do disable secure boot do I need to enable legacy boot? I have had limited success with previous installs to a 2nd hard...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 14:37.
Find Us