Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, December 4, 2018 1:40 PM
Sorry first, if I don't found the correct community category.
I am in a company environment that follows a Windows only policy for the main OS (not at least because of tool support etc.)
But as I am a developer I face the problem, that most tools needed for proper development do not work properly on Windows (i don't want a discussion about this topic...).
To solve this I thought about using dual boot Windows 10 / Ubuntu.
The first try (without doing any research before) broke the Bitlocker setup and I had to restage the client.
While doing research on this topic I found that there seem to be many people having this problem but never present a solution.
So my hope is, that someone here has an idea how to setup dual boot with Windows 10 / Ubuntu while Bitlocker is enabled for Windows 10.
UEFI is default boot mode. THe hardware is very new (2-3 months old).
It would be cool if there are some suggestions that I can try out.
All replies (5)
Wednesday, December 5, 2018 8:40 AM
Hi Christopher,
Thanks for posting here.
we can turn off bitlocker and disable secure boot before we install Ubuntu, then we can enable the bitlocker.
please check these articles to see if they helps:
https://www.ctrl.blog/entry/dual-boot-bitlocker-device
https://blogs.msdn.microsoft.com/abhinaba/2015/11/17/dual-booting-ubuntu-and-windows-10/
Best regards,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 11, 2018 8:28 AM
Hi,
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
Best regards,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, December 17, 2018 7:59 PM
It would be easier to use Linux in a virtual machine. Is that an option?
Friday, December 21, 2018 7:14 AM
Hi Christopher,
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
Best regards,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Sunday, January 27, 2019 2:12 PM
There are a number of security-related flags you can modify related to bitlocker in the Group Policy Editor that relate to this. What you have to shut off depends on how you accomplish dual boot.
I managed to get this to work on my Lenovo X220 (which has an MBR-based dual boot environment dating from when it ran Windows 7 originally) but it was a matter of trial and error. I'm now working on setting up my X1 Carbon with the same environment (FreeBSD as the second OS) using rEFInd as a boot manager which, as it turns out, makes all the screwing around I had to do with the partition structure for the X220 unnecessary, and will be happy to post back here if I have to diddle some of the same things to make it work without throwing up. The symptom was that all appeared to be just fine until you booted FreeBSD, at which point Bitlocker declared the environment insecure and demanded the recovery key.
The issue is that by default Bitlocker will look at the boot environment and if anything has changed it will assume the machine has been tampered with and the password is insecure (e.g. the boot environment managed to steal it) and on startup thus demands the recovery key. The group policy editor under Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption is where you want to look.
The likely change required is in TPM platform validation profile settings (there are three; the one that likely impacts you is the UEFI setting for modern machines.) Be aware that this setting becomes part of the Bitlocker stored state when it is enabled, so changes only take effect if you decrypt/re-encrypt the drive, if it is already enabled.
If your corporate environment is attached to a domain controller that forbids local changes to group policy you will need to talk to your IT people to get that changed.
IMHO full-disk encryption of some sort is an absolute requirement on a laptop since they're exposed to physical theft much more than is a desktop machine.
Update: I did not need to play with the group policy; the TPM was happy -- but I did install the EFI boot manager (rEFInd) before I enabled Bitlocker. I suspect that any tampering with that partition in the future will cause it to throw up.