NixOs works but Windows boots to Bitlocker recovery

[Doosty]

On a Lenovo Thinkpad P14s i installed Nixos on a separate external drive, next to existing default Windows on the internal drive. I went through the quickstart guide and everything went smoothly, the only thing not described in the guide was that i needed to sudo chattr -i /sys/firmware/efi/efivars/* before i could sudo sbctl enroll-keys --microsoft. Well Nixos works with secure boot now, but Windows doesnt boot anymore. Is it possible to fix this or did i just lose data? Thanks for help.

[RaitoBezarius]

I assume that you lose your default Windows bootable or something, can you be more explicit about how Windows doesn't boot anymore? What do you observe?

[Doosty]

When i had secure boot on:

• windows boot loader successfully booted into windows
• nixos did not boot at all, just 1 second of black screen and back to boot selection menu

When i had secure boot off:

• windows boot loader booted into bitlocker recovery screen
• nixos successfully booted

After lanzaboote with secure boot on:

• windows boot loader boots into bitlocker recovery screen, even after i used the 'enroll-leys --microsoft' command
• nixos successfully boots and uses secure boot

[RaitoBezarius]

Yes, that's expected, enrolling new keys will change the Secure Boot database and change the measurements for the boot.
You need to recover once the Bitlocker to move on.

[RaitoBezarius]

This is unrelated to Secure Boot though.

[blitz]

I'm not sure what measurements Windows uses to seal the disk encryption key but what you describe in "After lanzaboote with secure boot on" sounds like what I would expect: You can boot Windows but Bitlocker is not happy because the PCRs have changed.

@RaitoBezarius Do you know off the top of your hat whether the above is expected behavior? If so we should add a warning around having your Bitlocker recovery key handy to the docs.

[Doosty]

Yes, that's expected, enrolling new keys will change the Secure Boot database and change the measurements for the boot. You need to recover once the Bitlocker to move on.

Ok that worked, i didnt know microsoft stores the Bitlocker recovery keys online, i thought for sure i just bricked my windows laptop. Sorry for the panic everyone and thanks for the help.

[blitz]

@RaitoBezarius Can we leave this open so we don't forget to add some warning to the documentation?

[RaitoBezarius]

@RaitoBezarius Can we leave this open so we don't forget to add some warning to the documentation?

Yes of course!

[dweee]

For info, at least on the only system I have currently set up (Framework 16), I have not needed to remove the immutable attribute on the EFI variables at /sys/firmware/efi/efivars/*.
If anyone has any issues with their Windows install always asking for the BitLocker recovery key on every boot up, you can add boot.lanzaboote.settings.reboot-for-bitlocker = true; to your configuration and it should resolve the issue. Anyways I believe this issue is resolved and can be closed :D