New
#650
Hi, Brink
Thanks for the superb tutorial. Just wanted to note that the instructions to be sure to disable Secure Boot don't work right on a Surface Pro 2 UEFI system with Bitlocker-enabled and may not even be necessary for a Surface device and leads to bad stuff happening. When I did it, since I probably had previously deleted my Recovery Partition to save disk space, when I tried to save my UEFI settings with Secure Boot disabled and reboot, I kept coming back to the UEFI configure page and being told I had no other BitLocker recovery tools and to use a Rescue Disk or contact my administrator. Admittedly, I was trying to do an In-Place Repair on a corrupted Fast Ring Insider 16232 build. It turned out it didn't matter if Safe Boot was enabled or disabled. I could still boot to the USB rescue disk by holding down the Volume Down side of the volume rocker while pressing releasing the Surface Power Button, then releasing the Volume Down button as soon as I saw the Surface logo. I had to enter my Bitlocker Rescue Key but then could go to the Admin. Command Prompt to run "manage-bde -off c:" which only took 20 min or so to unencrypt my C: drive. From there I could boot back to my desktop, mount the ISO image, and run setup to do the In-Place Repair that you have so beautifully illustrated. But I think on my Surface Pro 2, if I had just run the In-Place Repair without attempting to disable Secure Boot, everything would have gone smoothly. So I think you might need to modify your instructions according to the type of UEFI setup in use, which for a Surface Pro 2 with Bitlocker enabled, doesn't work right when your instructions to disable Secure Boot are followed.
Hello Jim, :)
Yeah, it would be best to either suspend or decrypt Windows before doing any type of repair install or upgrade to avoid potential issues.
Thanks for adding on the warning on suspending Bitlocker before the warning about turning off Secure Boot. I think it will save anyone else like me with a UEFI system a heap of trouble with they have a Bitlocker-encrypted disk. I think my Surface is the first TPM/UEFI system I've ever attempted an in-place repair on. I've done it on several legacy BIOS, Bitlocker-encrypted systems. I know with some updates/upgrades, Windows itself announces that Bitlocker will be/should be suspended for the duration of the operation. Just don't remember if the in-place repair is one such operation.... (I'm getting to be quite a foggy-minded 72-year old geezer!).
Tried to send you a PM about a relevant MS TechNet article that I found on Secure Boot and Bitlocker but found I have to have 5 posts before I can PM!
So here is what I would have PM'd. Hope the link comes through:
Hi, Brink
I found this MS TechNet discussion of Secure Boot and Bitlocker on Windows 10 that suggests that it's normally not necessary to turn off Secure Boot and that Windows will advise if Bitlocker needs to be/is going to be suspended, which is my recollection, as I mentioned, for other legacy systems.
Secure Boot and BitLocker on Win10
Thanks again for all the great advice that you offer on your site! :)
Jim Lewis
Hello Shawn. Couple of newbie questions. My laptop (10 Pro x64) involuntarily upgraded me from 1604 to 1703 Build 15063.483 even though I had checked the box to defer upgrades. I tried to create a System Repair Disc for this new build but I received a prompt that files were missing and the disc could not be created. (The System Repair Disc created for 1604 does not access 1703.) I have the official ISO from Heidoc (Win10_1703_English_x64.iso). If I mount the ISO and run setup.exe will the missing files needed to create a System Repair Disc be replaced? Or is there something else I can do to get just those missing files? Thanks for your help, Shawn.