-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Doc: Windows 11 Secure Boot preinstalled laptops #2474
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checklist
<FULL LOG>
below.Rufus version: x.y.z
- I have NOT removed any part of it.Issue description
Documentation improvement required for Windows 11 Secure Boot preinstalled laptops. While the current documentation provides reasoning, it does not specifically document keywords and clear instructions on the options for an end-user.
Cite issue #2137 which provides some context on the current state of laptops preinstalled with Windows 11, notably the Microsoft Surface series. However this appears to be a growing trend, and while it is not possible to cover all personal computing vendors - an effort should be made to provide clear information to end-users.
Initial draft of suggested documentation
Unfortunately, Microsoft has determined mulitple tiers of the "Universal" UEFI Secure Boot Specification which has an impact across many personal computing vendors.
The UEFI Boot Configuration of many vendors will show a similar list of options to the following:
Examples such as Samsung Galaxy Book2/3 Pro devices, provide Secure Boot Control on/off and a separate selection for
Secure Boot Certificate Keyset
. These examples are infrequently documented and will vary for each device (even for devices using common firmware from American Megatrends International), and only screenshots of these devices will show what terms are used. However the list is explicitly shown in Microsoft Surface documentation:https://learn.microsoft.com/en-us/surface/manage-surface-uefi-settings#uefi-security-page
For Hyper-V hypervisor Virtual Machines, this is similar with the addition of 'Linux Shielded VM Template', as seen in Hyper-V documentation:
https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#secure-boot-setting-in-hyper-v-manager
For end-users with new devices seeking to use Windows 11 BitLocker (described on Windows 11 Home edition as 'Device Encryption'), the latest BitLocker encryption requires TPM 2.0 which requires Secure Boot to be enabled. Therefore if an end-user wishes to encrypt their data, Secure Boot must be enabled and this may stop boot of any OS installation created using Rufus.
If the device is new with no data and not yet encrypted, it is recommended to first perform UEFI Configuration and select the option that does not limit the device to only Microsoft Windows (such as Option 2 above, but the description may differ for each vendor).
If the device has already been encrypted, it is recommended to check and save the BitLocker Recovery Key before taking any action. There are various options available here, and it is likely the BitLocker Recovery Key is also synchronised to a Microsoft Account if the laptop is not using a Local Account only. Expect to enter the BitLocker Recovery Key after changing the Secure Boot configuration. For more information, please see:
https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6
As Rufus 3.17 or later uses UEFI:NTFS with Secure Boot signed, any OS created should now boot with the device and Windows 11 should now boot with BitLocker encryption.
Please refer to Rufus FAQ "Why do I need to disable Secure Boot to use UEFI:NTFS?" which describes the history of Rufus and Secure Boot.
For reference purposes, example images are shown below.
Samsung Galaxy Book3 Pro:
Microsoft Surface Book:
Hyper-V:
The text was updated successfully, but these errors were encountered: