Bitlocker Windows 11 Issue
Herodes Hamilton
Edit:
Also Samsung drives are the worst for ur purposse, u can only set them ONCE - for another setting u need to PSID the drive which samsund doesnt offer - a secure erase wont do it.
Better drives used to be Crucial or Kingston as u can do a PSID revert afterwords
Are you all having this issue on the same Samsung 990 drive?
We have run through validation with other drives which do not have an issue with bitlocker.
But I do not think we validate encryption explicitly using hardware OPAL SED support.
I purchased the Samsung 990 Pro instead of the WD SN850X specifically for Bitlocker hardware encryption. I did quite some research and from what I understand Bitlocker requires SEDs to respect the IEEE1667 standard, also known as eDrive.
Utilizing internal USB drives on the motherboard I have been attempting to implement BitLocker onto our physical servers. I have tried 6 of them, all HP servers and all of them give the same error. After encrypting to 99.9% (go figure) it pauses with an error message:
I would have assumed after one server, maybe it could have been hardware related...but all 6 seems rather unlikely. I have run chkdsk /r as well as chkdsk /r /b /f neither of which has solved the issue. We are running hardware raid on these machines...I cannot find anything definitively stating BitLocker does not support hardware RAID though I have seen a few items pointing out it does not support software RAID...
It appears the issue was due to not creating separate partitions. As per the BitLocker tutorial from Microsoft two partitions should be created, however those may only be created if bdehdcfg -driveinfo returns selected disks to modify. If it returns a message detailing how the drive is setup already and it is not necessary you may not modify the disks utilizing bdehdcfg. For some unknown reason this was occuring even though my disks were NOT ready for BitLocker at all. I actually had to reload windows... Makes no sense at all. But works now
I am having trouble understanding the issue of why bitlocker was activated on the laptop that I have. I am running a windows 10 Home Edition on the laptop HP Spectre x360 Laptop. After speaking with microsoft support team they referred me to HP for some help. Windows 10 Home Edition does not have bitlocker settings but this laptop does. I need to know if this bitlocker key is stored on an account with HP or where I can find this code.
The issue really resides with who has this key? When setting up my computer I created an account with microsoft and it was not saved on the account. So how can I find this key that I was never given at time of purchase. Can I send in my computer to HP to recover the key from the motherboard? I need to obtain some crucial files from the hard drive.
Evidently some of high-end HP Windows10 Home laptops like yours come with TPM 2.0 and Moden Standby, and when you sign in with Microsoft account during the initial setup, the drive is automatically encrypted without your knowledge.
@Tk_srq,
Thank you for your response. It has been a while since I have been online here. Your answer did spark doubt in my mind about the key being on an account. I tried every account that I know I have created. I never would have thought that it was on my school account. I do not remember at initial setup using that account. I might have put it in a mail account on the computer but not to initial the actual laptop. I called my university and they were able to give me the bitlocker key. I was a little confused but happy that I was able to get back on my drive.
Thank you for introducing doubt into my mind and giving me another go on emails. It just find it odd that it saved in on the school account.
"In a work or school account: If your device was ever signed into an organization using a work or school email account, your recovery key may be stored in that organization's [content removed]. You may be able to access it directly or you may need to contact the IT support for that organization to access your recovery key."
This morning when she booted up her computer, a blue screen popped up asking for a Bitlocker Key to continue. She had never activated Bitlocker on her computer. It would appear that Bitlocker was activated during the latest update.
Apparently, some Dell systems can be encrypted with BitLocker without the users knowledge or explicit command to do so. Refer to -us/000124701/automatic-windows-device-encryption-bitlocker-on-dell-systems
I had to type each fedora update windows recovery key when booted to windows, but that might be just my hardware and Nvidia stuff and eventually it just lost boot option to fedora ending running WSL or VM setup and second laptop just fedora bare metal
from within windows use the disk manager to shrink the windows partition and allow space for the fedora install. This is especially critical since you are using bitlocker. The space freed up must remain unallocated.
boot the fedora installation media and do the install. Do NOT create an additional esp partition but allow fedora to automatically perform the partitioning and install. It is best to allow both OSes to share the existing esp partition.
(experienced users may define their own partitions but normally fedora does it quite well with the automatic install)
I do not use bitlocker so have no experience with the stated need to use the uefi boot menu to boot windows. Yes, grub is the default boot loader in fedora and it is installed automatically. When dual booting the grub menu should show each time you boot, which normally allows the user to select the kernel or OS to boot.
This depends upon your hardware and what drivers you use. If you do not install software that requires locally compiled kernel modules then secure boot may remain enabled. I think windows 11 probably uses secure boot by default (and may even require it). You may also sign the locally compiled modules which will allow them to load and also allow keeping secure boot enabled.
If you have a GPU such as nvidia and use the nvidia drivers or use virtualbox to run VMs, both have locally compiled kernel modules and require that either you disable secure boot to use unsigned modules, or create a local signing key and enroll it into the bios so the modules are signed when compiled and continue to use secure boot.
I use secure boot, and have installed nvidia drivers as well as virtualbox from the rpmfusion repo. There is a package named akmods that manages compiling and signing these modules for me.
Once the package akmods is installed there is a readme file /usr/share/doc/akmods/README.secureboot containing the instructions on how to create and enroll the key so modules may be automatically signed and will load with secure boot enabled.
This may be a result of using bitlocker. Is it possible to disable bitlocker without a full reinstall?
If not then it should be possible to copy off the data you desire to keep, then do a new install of windows without bitlocker and start over with the fedora install.
It has been many years since I worked with windows at that level. His info reminded me of what I used to do when windows was my main OS and had forgotten by now. Admin tasks done 15 or more years back tend to be forgotten.
Have only booted windows once in the last 6 months and that was only for update purposes. Since windows does the auto updates without asking for permission I did not want it updating when I happened to be travelling and on a slow or metered connection.
If you really do not need windows it seems that you might consider installing fedora on the drive, then use libvirt and virt-manager to create a VM of about 50 GB or so in size and install windows 10 into that VM so it would be available if needed. I guess that it might be possible to use win 11 in that manner but I have not tried that yet. Win 11 requires secure boot and TPM. libvirt does provide secure boot, but I have not tested the TPM capabilities.
you might consider installing fedora on the drive, then use libvirt and virt-manager to create a VM of about 50 GB or so in size and install windows 10 into that VM so it would be available if needed. I guess that it might be possible to use win 11 in that manner but I have not tried that yet. Win 11 requires secure boot and TPM. libvirt does provide secure boot, but I have not tested the TPM capabilities.
I runned virt manager on fedora on testing and installed windows 11 with secure boot and TPM without virtIO setups and it works there is just some settings need to set to enable secure boot and TPM on vurt manager pretty easy actually and I might even do it again just for fun
BitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system. When activated, it will encrypt the contents of the hard drives in Windows, making the data inaccessible without the correct decryption key. It is designed to minimize the risk of data theft or exposure from lost or stolen computers.
When a user starts their computer and properly authenticates with the correct credentials, BitLocker will decrypt the data and allow seamless usage of the hard drive and the data it contains. Without the correct credentials, the encrypted hard drive data will look like random noise.
I ran into this BitLocker issue for the first time and was really bothered with the decrypt/install/re-encrypt approach. As the boot and recovery partitions are not encrypted, I tried a different approach which worked fine. So there is a 4th option! Here it is:
Hi, I have installed both Windows 11 and Ubuntu, and bitlocker was disabled for the installation, but then I enabled it back on after some rebooting to ensure all was working. Works fine with bitlocker enabled.
d3342ee215