-2

Occasionally one might need to boot into an application that requires CMS mode in BIOS to be enabled (like SpinRite.) Since most Windows modern installation are UEFI with Secure Boot, this requires BIOS changes.

This question is about switching back from CMS-mode to UEFI boot mode (after having wrapped the CMS-booted application work) and dealing with an unexpected issue.

Before:

  1. Altering BIOS settings while Microsoft Windows has a BitLocker encrypted system drive is asking for trouble, so the encryption was temporarily suspended in order not to trigger any protection mechanism.

  2. In this BIOS a save profile was used to save and restore settings.

  3. A RecoveryKey protector was also added to the system drive, just in case.

* The bios settings were changed and CMS-booted drive work was performed. *

After:

  1. After doing the CMS-booted work, the previously saved bios setting profile were restored.
  2. Windows loaded fine. (BitLocker was still suspended.)
  3. BitLocker protection was continued after logging into Windows.
  4. After another reboot the system did accept my BitLocker PIN (TPMandPIN) but it did not load Windows (or bootloader).
  5. It reboots and finally asks for the PIN again. (If you use unlock by TPM-only: boot-loop.)

(I ran into this problem and was banging my head against the wall. Sharing it to save others time if anyone also ran into this issue).

Overview BIOS / Motherboard settings that were changed:

  • Secure Boot
  • CMS-Support
  • Fast Boot
  • Boot Order altered (did not really help.)

Take note that these settings were set back to their original setting before booting into Windows.

The questions:

a. How do I get back into Windows?

b. Which Bios setting is responsible? (Since we had to change things in there.)

c. Why is my BitLocker PIN accepted but Windows still fails to boot?

What could go wrong? (Reference)

  • Windows can launch its intervention during boot trying to 'help' you when there is an boot issue.
  • BitLocker can demand its Recovery Password or Recovery Key because it detected hardware changes.
  • BitLocker can log several issues that it has trouble retrieving a master key.
  • BitLocker can log VMK unsealing issues (TPM-related).
  • You can get stuck in a boot-loop prior to getting into Windows.
  • Your delete-key bashing was not registered this boot. Try again next time. Let me load BitLocker Recovery for you and after that Windows Boot recovery. Just because. To help you.
Details
  • Windows 11 23H2, UEFI, Secure Booted
  • TPM
  • C: on NVMe; no quick unlinking
Improve this question

1 Answer 1

Reset to default
-2

Even though Fast-Boot was put back to 'enabled' afterwards, in contrast to resetting Secure-Boot (and CMS setting) its timing effects are different. (Assumed.)

Solution:

(a,b) Disable Fast Boot. Your BitLocker PIN will still be accepted like before but now your system should not be stuck in a boot loop and windows should load.

After BitLocker has been successfully unlocked with TpmAndPIN, you could consider re-enabling Fast-boot if you want.

Question c:

Secure Boot, TPM and BitLocker are connected. When one continues BitLocker from suspending/pausing it (originally to avoid it demanding something else then one's PIN), either the drive or the TPM seem to enter a new state that the caching-mechanism of Fast-Boot is not informed about. So if you reboot then, the Fast-boot mechanism seems to work against you. By disabling it, you bypass the issue and everything boots properly.

Future

Strategies to avoid issues:

  • A dedicated SpinRite machine (I had an old machines available, for whatever reasons it did not detect the USB target medium.) FYI: a dedicated machine does not need any drives, just reliable ram and a quiet fan.
  • Future SpinRite 7.0
  • Suspend Bitlocker, Emergency RecoveryFile (.BEK), Use Bios Save profile, Restore Bios, No Fast-Boot during mode changes. Shutdown + start instead of Reboot at significant moments.
Improve this answer
4
  • 1
    There is no way to make SpinRite support BitLocker. End of Story. SpinRite 7 is vaporware. It's been in development for nearly 10 years. SpinRite was never designed to work in a post MBR world, it does not even work, on any drive larger than 2 TB.
    – Ramhound
    Commented Apr 22 at 12:44
  • That's not the question @Ramhound, it is about getting back into windows after using a CMS-booted-drive and running into issues because one altered bios settings. I will however attempt to make the question more skim-compatible.
    – A71
    Commented Apr 22 at 13:42
  • 1
    I am aware of what the question is, it does not seem you were tracking, that SpinRite will never support GPT disks which is require for UEFI boot mode. Secure Boot of course has little to do with BitLocker though. Fast Boot works by restoring the previous state of Windows, if that previous state of WIndows is invalid, Windows will fail to boot which is exactly what you experienced when you enabled CSM.
    – Ramhound
    Commented Apr 22 at 13:51
  • The problem is related to Fast-Boot and BitLocker. No boot issue was experienced due to CSM, it was turned off after use. (SpinRite can handle BitLocker encrypted drives. It is not aware and does not care.) - The issue was the boot loop that occurred in UEFI mode with Secure Boot on and the cause seemed Fast-Boot. The intention is to share the (BitLocker) experience around the unexpected boot loop caused by the seemingly delayed effects of Fast-Boot. @Ramhound
    – A71
    Commented Apr 22 at 14:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .