Bitlocker + Win11 Pro 24H2 edition = Secure Boot is mandatory???

[vishalrao]

I recently did a fresh install on my new rig with its Asus ProArt X670E Creator Wifi board and for the life of me I'm unable to get Bitlocker to not keep booting into recovery mode everytime when I disable secure boot in the UEFI settings.

My older rig with its ASUS PRIME TRX40 Pro-S and currently running Win11 Pro 23H2 edition has Bitlocker working just fine with secure boot disabled in the UEFI.

Now I don't recall if I installed the older OS after modifying it via Rufus to make secure boot optional (I didn't do this for the new install) so wanted to check whether anyone here knows why I'm facing this difference in behaviour.

I swear I read online secure boot is optional for Bitlocker so wondering whether Win11 Pro 24H2 has changed the requirement or there's some issue with my new mobo UEFI settings or some other PEBKAC thing.

 

[argho]

For Windows 11, Secure Boot is mandatory.

https://answers.microsoft.com/en-us/windows/forum/all/can-i-install-windows-11-without-secure-boot/22e43ab9-5aa3-49fa-a555-ea5ba70c23c2

Hello



You can install Windows 11 without Secure Boot. However running Windows 11 without Secure Boot may result in instability on the system and you may not receive updates from Microsoft.

 

[vishalrao]

Yeah the wording is misleading - the TPM and secure boot "feature" is mandatory (in the UEFI) but it's not mandatory to have SB enabled.

Long story short:

Seems like disabling the TPM PCR 4 (platform config register for boot manager) option in group policy editor resolved this issue - fingers crossed.

Located in group policy editor -> computer config -> admin templates -> windows components -> bitlocker drive encryption -> os drives -> config TPM for UEFI.