My Lenovo T480 runs a Bitlocker protected Windows 10 installation. Bitlocker is configured to lock the system (request the passkey) if there are any hardware changes. I would like to keep the Bitlocker protection intact and unmodified, but have the ability to dual boot into Linux or a different Win10 from a different SSD (without changing the Bitlocker configuration). I have full access to the UEFI settings.
As far as I understand, bitlocker places something like a policy on the TPM, which then locks the laptop. Even with the Windows drive physically disconnected, the bit of bitlocker that went on the TPM will stop any bootloader from running.
This is where I get stuck: I want to be able to swap out the Windows drive and use a different OS, but I can't do that without messing with the current TPM configuration (as far as I understand).
In the UEFI settings of the T480, there's an option to deactivate TPM. Does that clear the TPM? That would render the Windows install unusable. Does it simlpy disable TPM until I re-activate it? Will the Bitlocker / TPM lock the Windows install if I disable the TPM, use the Linux drive, and then re-enable TPM?
Edit: For now, I'm trying to get dual boot with a second copy of Windows 10 working, and even with the first hard disk disconnected, I do get a blue bitlocker screen asking me for my USB key.
Edit2: Solved. I never tried what happens when I set the TPM to "hidden" in the UEFI. To recap, the setup was:
- Win10 on disk 1, with bitlocker active, key stored on TPM protected via hardware change detection
- Win10 on disk 2, no bitlocker
I installed disk2 and was able to use it fine, until I booted into disk1. I was then unable to boot disk2. I wrongly assumed that the TPM prevented me from booting a disk different from the one that was using bitlocker. In fact what happened was that disk1 decided that all drives should be bitlocker protected and encrypted disk2 for me. Thereafter disk2 was unable to unlock on its own (presumably because the master key that bitlocker used was on disk1) and failed to boot with a bitlocker error. I don't have admin rights on disk1 so I was unable to turn off bitlocker on disk2 from disk1. Reinstalled Win10 on disk2 instead, and will take care to not boot disk1 while disk2 is plugged in.