I have Thinkpad X1 Carbon 7th Gen received from my organization. I have installed OpenSUSE
Tumbleweed dual boot with Windows 10. I was able to install it with Secure Boot on and everything
works fine so far. However when I boot into Windows, it asks for Bitlocker recovery key every time.
I tried reverting bios setting with windows bootloader as 1st choice. Then the problem goes away.
But with setting Opensuse’s one as first choice, the problem comes back.
I am sure this is not an uncommon problem. I tried searching for solution but haven’t found a suitable
solution.
Can anyone please suggest solution for this or point me to some docs?
I don’t have “BitLocker” so I cannot comment on that part.
I do currently have Windows set as the first choice for UEFI booting, even though I mainly use openSUSE. I do that, because some Windows updates fail otherwise.
When rebooting from Windows, I use SHIFT-RESTART (hold the shift key while clicking restart). That gives me a menu. I choose “boot from device” and it lists “opensuse-secureboot” as a device.
When rebooting from openSUSE to openSUSE, I use “efibootmgr -n” to tell it that the next boot should be from opensuse-secureboot. And if I miss, then I can hit F12 during boot to get the BIOS boot menu.
It is annoying that Windows wants to be first in boot order, but I can live with it.
@nrickert Thanks for the tips. Yeah it is annoying that Windows has so much problem with changing boot order.
Just to add more information ,things I have tried till now:
In BIOS I changed to boot settings to Windows as first. In that case, the problem solves and I dont have to enter recovery key many times. However I cannot access Linux (your suggestion is useful here).
I tried suspending Bitlocker and did the reboot with OpenSUSE bootloader as first preference. It boots to Windows without any problem (as Bitlocker is suspended) but the same problem happens in subsequent reboots.
(More towards Windows configuration than OpenSUSE) I tried turning off Bitlocker and then turning it on again. It has generated new recovery keys. Still the problem persists.
So for now my Bitlocker is disabled so that I can work both in Windows and Linux.
@gogalthorp Thanks. Booting directly through UEFI boot menu does work and I was able to login to windows without
asking for recovery key. However through OpenSUSE bootloader it still has the problem. So as you said there’s something
lacking with GRUB that bitlocker cannot get keys from TPM.
Interesting thing is my friend installed Arch Linux on the same model of laptop and he just had to enter recovery key once.
He doesn’t have this problem. I am wondering what was different in his setup. Anyway I plan to look into it in more detail later.
It would be interesting to see the grub menu entry for Windows for that Arch setup.
When I boot Windows from the UEFI boot menu, it passes windows a parameter (the BCD – boot configuration database), but the grub2 menu entry from openSUSE doesn’t do that.
However, that does not seem to be the whole story. A while ago (maybe 2 years), with a Windows 8.1 update, windows wanted to restart (as usual). So I use the UEFI menu to reboot into Windows. But it still backed out that update and said that the update failed. But when I switched Windows to first in boot order, the update succeeded.