Bitlocker + Win11 Pro 24H2 edition = Secure Boot is mandatory???

[vishalrao]

I recently did a fresh install on my new rig with its Asus ProArt X670E Creator Wifi board and for the life of me I'm unable to get Bitlocker to not keep booting into recovery mode everytime when I disable secure boot in the UEFI settings.

My older rig with its ASUS PRIME TRX40 Pro-S and currently running Win11 Pro 23H2 edition has Bitlocker working just fine with secure boot disabled in the UEFI.

Now I don't recall if I installed the older OS after modifying it via Rufus to make secure boot optional (I didn't do this for the new install) so wanted to check whether anyone here knows why I'm facing this difference in behaviour.

I swear I read online secure boot is optional for Bitlocker so wondering whether Win11 Pro 24H2 has changed the requirement or there's some issue with my new mobo UEFI settings or some other PEBKAC thing.

 

[vishalrao]

Just for reference:

Seems like disabling the TPM PCR 4 (platform config register for boot manager) option in group policy editor resolved this issue - fingers crossed.

Located in group policy editor -> computer config -> admin templates -> windows components -> bitlocker drive encryption -> os drives -> config TPM for UEFI.

 

[Lolita_Magnum]

Yea, TPM is required to be disabled to disable Secure Boot.
Disabling Secure Boot without TPM raises flags for the TPM, causing it not allow BitLocker to decrypt itself.

 

[vishalrao]

Not entire TPM needs to be disabled.