Thanks. It's clear now you have no basis for saying Secure Boot with BitLocker prevents you from using boot media such as Terabyte's tbwinre and ifl which I linked to earlier that are specifically documented to work when Secure Boot is enabled. You ran into issues because you were disabling Secure Boot. If you had tried the right boot media, it might have worked. I haven't tried it myself, so I can't say that it does work, but you sure can't say that it doesn't. I wish someone would run a proper test to determine this. I might the next time I build a new system. Telling people to turn off BitLocker so they can disable Secure Boot is at best premature, as you can't say for sure that it's necessary, and it's a bit dangerous for people who care about encryption.
Frankly, this thread has been full of FUD about BitLocker. I've corrected the overly general statements that do not apply to the scenario I'm familiar with, using BitLocker without a TPM and with UEFI BIOS in legacy mode. As for UEFI and Secure Boot, I can't correct the FUD written about that, because I don't have any experience with it. All I can do is what I've done, that is, point to products that are documented to work when Secure Boot is enabled. BitLocker may indeed pose problems when those products are used, but that has not been demonstrated.
I think you never understood what I was saying. I said:
1. With the encrypted system drive I could
not disable secure boot in the BIOS
Yes, in replies to my posts, it was established that trying to disable Secure Boot is the wrong approach if you want to keep the encryption. It doesn't work, because BitLocker prevents it. However, by your own admission, you didn't try boot media such as the ones I linked to that are documented to work with Secure Boot
enabled.
2. With the encrypted system drive I had only one boot option and that was from the system drive.
If certain boot media is documented to work with Secure Boot enabled,
it must be possible to boot from it on some systems. Otherwise, Terabyte and others are just lying. I suppose it is possible that if the boot media is incompatible with Secure Boot, the BIOS might not even present it as an option, and that could explain your observation. Or maybe your BIOS was unnecessarily crippled. How would I know? The only thing I'm really interested in here is whether or not BitLocker restricts boot choice in general when Secure Boot is enabled, as Secure Boot by itself shouldn't have prevented it for compatible boot media.
That would be useful to know.
3. When the system was decrypted, I was able to boot from USB
Yes, as you said, "With the encryption enabled, I could not boot from USB because I could not shut the secure boot off."
That was to be expected. It might not be the best answer, though.
I have certainly not tested all variations and permutations but I have at least tested some of the encryption problems. You have tested nothing and are just throwing out unconfirmed stuff that you might have read somewhere.
Why don't you do what KYHI says and test it yourself and come back with a full report. Until you have real facts I would appreciate if you stayed off my thread.
I don't know what KYHI said, because I put him on ignore due to his behavior in
this thread, where he repeated his overly general and wrong statements about BitLocker even after
I had corrected him here concerning similar statements, and
after correcting him again there, his subsequent replies seemed not to acknowledge his wrongness but instead got
weirder.
And it was not just me finding fault with what he said in that thread. As for what I've tested and haven't tested, I've clearly spelled those things out without any prompting to do so. I've done so in this thread and in the lengthy, detailed post on the Terabyte forum I linked to in my first message. As for your request that I "get off your lawn", my presence on it has clarified what you're talking about and identified what
you have and haven't tested, and moreover, what
needs to be tested. As I said
here, I'm trying to see that BitLocker doesn't get an undeserved bad rap.
To summarize, you started off by saying BitLocker prevented you from imaging. That is not true in general, and I linked to my post in the Terabyte forum where I described how it works when not using TPM and when UEFI BIOS is in legacy mode. That led you to clarify your first post by stating that BitLocker was preventing you from disabling Secure Boot and thus preventing you from running your boot media. That was news to me, so when you asked why this happens, I did some research and posted a link to a TechNet article that would seem to explain it. You then stated you wrote a tutorial on how to deal with this, and I guess the advice was to decrypt the system drive per your point (3) above and turn off Secure Boot, which I would call The Nuclear Option and a really bad situation if it's the only way. That's when I asked for clarification on whether you had tried
boot media such as I had linked to earlier that is documented to work with Secure Boot
enabled, which presumably would not require decrypting the system drive. Your response? "Nah." And that's how I came to write the message you've quoted above and are complaining about. I thought it was fair, and I stand by it.
BTW, it's not just restoring images that's at stake here with this Secure Boot/BitLocker uncertainty. I add a bunch of programs to tbwinre, so that it's a good Parted Magic substitute with a lot of troubleshooting tools instead of a relatively bare bones Windows Recovery Environment with just the Terabyte tools installed. I would not give this or BitLocker up to enable Secure Boot, and when I built my Z87 system a year and a half ago, I concluded Secure Boot was too new and complicated even to experiment with, plus I was reading BIOS's were buggy WRT its features, and even hardware such as video cards may not be compatible with it if they lack UEFI BIOS. It's something I will look into when I build a new system.
