A while back, I wrote about the excellent Ventoy program, which lets users boot from any of a number of ISO images on a USB drive. Of course, that meant I had to test the tool, so I could see it work (and better understand how to use it).
My Lenovo test machines (two X380 Yogas, in this case) ship with BitLocker turned on for the system/boot drive. There’s a certain sequence of activities involved in booting to alternate media when Secure Boot is enabled, and the primary drive has BitLocker turned on. Because that’s the case on those Lenovo laptops, I had to remember to follow that sequence to keep those systems working normally when I wanted to boot from their SSDs, rather than alternate media. Otherwise, instead of booting to the SSD, if Secure Boot is turned off, the system prompts me at the BIOS level to enter my BitLocker recovery key, as shown in the lead-in graphic for this story.
[Please note: the example screen comes from Ariel Mu at Medium.com. That’s her recovery key, URL, and Recovery key ID showing, not any of mine. This seemed to be the safest way to show you what one looks like without sharing anything too confidential.]
This technique works through Settings in Windows 10 before you reboot. It takes a little longer, but usually means you will be able to access your BIOS upon reboot.
[Click image for full-sized view; Source: MiniTool Software.]
Doing The BIOS Switcheroo
To begin with, when I want to boot from alternate media, I need to jump into the BIOS and disable Secure Boot. The easiest way to do that is via Settings → Update & Security → Recovery → Under Advanced Startup, click Restart Now. Then when the PC is restarting choose Troubleshoot → Advanced Options → UEFI Firmware Settings from the boot menu. This gets you into the BIOS from Windows itself.
Of course you can also enter the BIOS while the PC Is starting up. Lenovo makes this easy (but YMMV depending on the PC maker and model): click enter once it starts booting and you get a menu that lets you enter the BIOS using the F1 function key. On my X380 Yogas the Main BIOS menu includes an entry named UEFI Secure Boot that shows its status, but I have to go onto the Security tab to change its setting (Enabled/Disabled). If I want to boot to alternate media I need to turn it off.
Then, after I’ve finished doing what I’m doing, I need to get back into the BIOS to turn Secure Boot back on again. Otherwise, my BitLocker encrypted drive freaks out and asks for the key, before it’ll let me in. If I remember to turn Secure Boot back on, I can avoid all that excitement. That’s the way I like it! But that means I must remember to use the Settings technique inside my USB boot environment before I exit, or use the keyboard tricks during initial startup to get into the BIOS then.
Either way works: you just have to remember to do this. Consider yourself warned, and hopefully fore-armed, ready to deal with the BIOS switcheroo. Cheers!
Author: Ed Tittel
Ed Tittel is a 30-plus-year computer industry veteran. He’s a Princeton and multiple University of Texas graduate who’s worked in IT since 1981 when he started his first programming job. Over the past three decades he’s also worked as a manager, technical evangelist, consultant, trainer, and an expert witness. See his professional bio for all the details.