I’ve had a bad experience giving advise to a user that wanted to try Ubuntu. I just told the user how to try Ubuntu from a bootable USB, and after finishing the trial and taking out the USB memory they found that the hard disk was blocked and encrypted, requiring a password to access.
It turned out that it was encrypted by Bitlocker, a Windows program for encrypting the hard disk, and by TPM, a setup option that triggers the blocking if the boot order is changed. The user had a hard time finding the password because they didn’t even remember they had an encrypted hard disk.
I read that Subiquity seems to be able to detect Bitlocker and give options to the user if the “Install” button is pressed, but it seems not if the “Try” button is pressed. I don’t have a computer with Windows (and with Bitlocker) to confirm.
Before raising this issue somewhere else, can anybody confirm that “Try Ubuntu” does not detect Bitlocker and TPM?
Exactly @ogra , that’s what I saw and read. So from what I understand, if you got into the actual installation you get the appropriate advise if Bitlocker is on. What I’m worried is that you don’t get any warnings if you just “Try Ubuntu”, despite the fact that you may end up with your hard disk locked. This is what happened to the user I told to “Try Ubuntu”.
I think so, but since I didn’t experience this myself, a confirmation of somebody with the appropriate setup should be needed.
Yesterday when I was researching about the issue, I saw an exactly equal case in Askubuntu, but now I can’t find it any more.
I think it is something related also to TPM, whatever it is, which I think is something like a startup configuration that asks Bitlocker to lock the hard disck if the boot order is changed in the setup.
Windows 11 Pro with Bitlocker linked to TPM must also have Secure Boot enabled.
When you boot into a “Try Ubuntu” (using 24.04.2) session, there is no message that Windows 11 is even present, let alone encrypted.
If you try and mount the Windows encrypted partition, you’ll see a dialogue box asking for a passphrase.
There is no passphrase/password only a Recovery Key consisting of 8 blocks of 6 numbers separated by hyphens e.g.
12345678-12345678-12345678-12345678-12345678-12345678-12345678-12345678
This key will allow access to the encrypted drive in a live session.
As a test, I deliberately shutdown the live session without unmounting the Windows encrypted partition. Windows 11 still booted successfully.
I have only found two conditions where Windows 11 needs the Recovery Key
TPM disabled
Secure Boot disabled
I can’t reproduce this because there is no password only a recovery key.
Now, just to add to the confusion, Windows used to allow Bitlocker to function before the encryption was linked to TPM. This required a password.
Thanks @tea-for-one , I wonder what the user did, because according to them, they just started the computer from the USB key to enter into the Ubuntu life session, pressed “Try Ubuntu”, tried Ubuntu for a while, and closed the computer. Then took the USB key out, restarted the computer, and was asking for the recovery key (I think this is what they were referring to when they said it was requiring a “password”).
Yes, it’s very difficult to explain the actions of a third party, especially if they are not used to the intricacies of Operating Systems, TPM, Secure Boot inter alia.
I wonder if your user has Windows 7, upgraded to 10 or 11?
i.e. a different version of Bitlocker?
Again, I agree
New users should just be able to point and click without worrying about anything in the engine room.
I’ve just spent a few minutes looking for Windows encryption info and, apparently, Bitlocker has a cousin Device Encryption (for Windows 11 Home version) Windows 11 Device Encryption
When you first sign in or set up a device with a Microsoft account, or work or school account, Device Encryption is turned on and a recovery key is attached to that account. If you’re using a local account, Device Encryption isn’t turned on automatically.
Therefore, I imagine it would be very difficult for an Ubuntu live session to try and figure out what else is present on a user’s PC and offer appropriate messages or warnings?
I asked the user what exactly they did, but I don’t know if they will come back after the scare they got after having 2 days the hard disk blocked and encrypted.
Perhaps this is something that needs to be addressed and added to the ISO (also for the various flavours)?
A message saying something like Windows with encryption detected and offering the option to, I guess, abort or disable TPM etc. or first make sure they know the recovery key or password.
Yes, especially after just “Try Ubuntu”, they must be thinking if only trying Ubuntu this happens, what will happen if I try to install? But of course, they could have done something strange that they didn’t tell me.
I don’t know. If the user changed the boot order before trying to start from USB, it should be put in the documentation, but not in the ISO. But first it should be made sure that changing the boot order may trigger TPM and Bitlocker to block the hard disk.
If so, something like this could be put in the documentation: “Be careful if you change the boot order and you have a recent version of Windows with TPM and Bitlocker enabled. Your hard disk will get blocked and you will need the Bitlocker recovery key to access to your Windows installation”. But of course all this should be confirmed as being correct.
Subiquity actually does detect a Bitlocker encrypted disk, when you press “Install” it tells you what to do.
new Dell Precision 3590 with Windows 11 Pro (updated)
bitlocker, secure boot and fastboot enabled
Problem description / things I did
prepare liveusb with ubuntu 24.04.2 using an ubuntu 22.04 installation
power up the notebook, press F12 and select the usb device
press “Try or install ubuntu” in grub
once loaded, select language then close the setup (that was my first time with the new installer, I did not know there is a slide with “try ubuntu”)
try programs, hardware etc
shut down the notebook
Then, after the new start, bitlocker asked me the key to unlock windows.
I previously completed the Windows installation, so the key was saved in my windows account and I recovered it.
That said, after reading this post I tried again today the previous steps but I was not able to reproduce this problem.
I don’t know what caused the problem (first time changing boot device on the new notebook? different usb pen? different program to prepare the live usb [today I used balenaEtcher]?)
However, I think that a warning in the documentation to complete Windows configuration and store the bitlocker key before to try or install ubuntu could be really important. At least if people are interested in a dual boot installation.
Thanks @vipri-alessandro , welcome to these forums and very useful that you confirm the issue.
Now that I understand it better, it seems to me that it is something that happens before Ubuntu has anything to do with the computer. From what you describe, it happens when you press F12 and you choose to start your computer from a bootable device different from your hard disk encrypted with Bitlocker. This could also happen for instance if you start any other Linux distribution or even with a Windows recovery USB.
All this seems more a problem of bad documentation of Bitlocker than any problem with Ubuntu.
So unless the Ubuntu documentation mentions anywhere that the computer can be started from USB using F12 or similar nothing should be done in my opinion. If there is a mention to F12, then there could be a warning that if you have Bitlocker active you should make sure you have your recovery key around.
On the other hand, even if “Try Ubuntu” prompted a warning and gave advise as “Install” does, it would be too late, the hard disk would be already locked if you started from F12 without disabling Bitlocker. But now that I think, also with “Install” this same thing should happen if you follow the advise to disable Bitlocker before proceeding if you want to keep your Windows installation. When you go out and restart to do so, you will find the hard disk locked. Strange that we don’t see more reports of this, actually this should be the most common scenario.
This thread and the information provided by @vipri-alessandro both concern laptops.
I couldn’t reproduce the error, possibly because I conducted my test using a mini PC i.e. desktop.
Just an observation, not very scientific.
Hopefully, some more examples may appear here.
