I’m writing this article because I had a frustrating GRUB bootloader issue, and I struggled to find a direct answer anywhere else on the Internet! Hopefully this is helpful to somebody. Most of my previous articles have revolved only around pianos and keyboards, but I do technical computer work and thought I should share!
I dual-boot Debian 12 and Windows 11 on my home computer. Both OS partitions are encrypted—Debian with LUKS, and Windows with BitLocker. I could boot either directly from UEFI, but I could not boot to Windows from the GRUB bootloader without entering the BitLocker recovery key. And I’d much rather use GRUB, since it’s a much neater solution. This bothered me for months.
I run both this dual-boot setup, and using virtual machines. You can read more about how I use a Windows 98 virtual machine to run the old Giebler software here.
Let’s make the following baseline assumptions: You currently have both Windows and some Linux distribution installed, and now you want Windows to boot from the GRUB bootloader without entering the BitLocker key.
Preparing Linux
You’ll need to start by installing boot shims. There are two: A tiny first-stage loader signed by Microsoft’s 3rd-party certificate authority; GRUB, signed with your distro’s own key. On my Debian host, this means I have to run the following two commands:
sudo apt update
sudo apt install shim-signed grub-efi-amd64-signedThe post-install scripts do the actual setup. You will likely already have these if your distro was originally installed with Secure Boot turned on.
Preparing Windows
Your Linux distro is set up? Great! Now reboot into Windows using your UEFI or whatever method for booting currently works for you.
Back up the BitLocker recovery key. Store it off-device (USB, cloud vault, or even paper). You’ll need to enter it at least once during this process, and it’s important to keep a copy in easy reach if anything goes wrong.
Suspend BitLocker protection. Open a PowerShell (with administrator rights) and type the following command:
manage-bde -protectors -disable C:
Ensure Secure Boot is Enabled
If Secure Boot is already enabled, leave it on. Now that your distro has a signed shim in place, this will work.
Boot Windows From GRUB and Re-Enable BitLocker
Now that the shims are installed, Secure Boot is on, and BitLocker protectors are temporarily disabled, boot Windows through the GRUB menu. When Windows boots, it will accept this chain of boot events. Behind the scenes, Windows sees the correct signature path.
Now re-enable BitLocker:
manage-bde -protectors -enable C:When you next boot Windows through GRUB, it will boot without complaint, even though BitLocker is enabled!
The really key step is to disable the protection, boot Windows through GRUB, and then enable the protection.
You Might have to Do it Again
Any time shimx64.efi, grubx64.efi, or the signed kernel hash changes, Secure Boot sees an unfamiliar signature path. Windows treats that as a tamper event and locks the drive. Type the recovery key once and Windows “learns” the new chain. To avoid future prompts you can re-sign components with your own Machine Owner Key (MOK), but for most people the occasional prompt after a major distro upgrade is acceptable.