Windows with encrypted disks (Bitlocker) can't be booted from the GRUB boot menu

Problem

If you dual-boot Fedora and Windows 10/11, and you chose to encrypt your Windows drives with Bitlocker, on a system which has a TPM security chip, you won’t be able boot Windows from Fedora’s GRUB boot loader (which appears when you start the computer). Selecting the Windows boot item will force Windows into a recovery boot and will ask you for the Bitlocker encryption passcode (which is impractical to provide for each boot).

Cause

The TPM chip is used to prevent tampering with the device. Booting into the GRUB bootloader (instead of directly into Windows) is detected as tampering and the Bitlocker encryption key is not provided by the TPM chip to the Windows operating system.

Related Issues

Bugzilla report: https://bugzilla.redhat.com/show_bug.cgi?id=2049849

Workarounds

When you want to boot into encrypted Windows installation, you must invoke an UEFI one-time boot menu (immediately after your system is started), from which you can boot into Windows directly, avoiding the GRUB boot loader. This one-time boot menu is often invoked by pressing keys such as Esc or F12, but each system has its own configuration. It’s also possible that you’ll need to enable this menu first in the UEFI setup, often accessible by pressing Esc, F1 or Enter during startup (again, each system is different, consult your system/motherboard documentation or on-screen hints during power-on).

Alternatively, power users can use the efibootmgr tool and its --bootnext option to specify that the next reboot should boot directly into Windows. (The exact command line is not provided here, because it differs between systems, and also because this approach is not recommended if you’re not proficient in using the command line).

6 Likes