Views:

Check the following list for possible configurations that might be applied:

  • Check if Microsoft Bitlocker is disabled.
  • Check BIOS Settings if boot priority is set to Disk Drive.
  • Check Disk / SATA mode if configured to AHCI.
  • Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default. This means that for any of these Lenovo platforms shipped with Windows preinstalled an extra step is needed to allow Linux to boot with secure boot enabled. Official Document reference from Lenovo is available on thru the link.
    • In the BIOS menu select the “Security” option and the “Secure Boot” sub-menu. Toggle the “Allow Microsoft 3rd party UEFI CA” to be “On” as shown below:

      Secure Boot

      Click the image to enlarge.

Try to use the Recovery Tool to fix the issue.

  1. Prepare the Recovery Tool.
  2. Connect the Ethernet cable that reaches the PolicyServer. This allows user to try both QuickScan and Extensive Repair if QuickScan is unable to fix the disk.
  3. Wait for the QuickScan to be completed.
  4. If the Recovery Tool successfully repaired the disk, it shows the following:
    • Remove the Recovery Tool.
    • Reboot or shutdown and try again.

    If it failed to fix the disk, proceed to Step 2. Performing the Extensive Repair.

  5. Collect the CDT by Recovery Tool 6.0.0.3343 for SEG analysis, especially when the disk is NVMe drive. This applies for both successful and failed repair.
  6. Shut down and try again, if the disk is Self-Encrypting Drive (SED) or Hardware Encryption.
 
If the Recovery Tool 6.0.0.3343 does not work, please repeat the steps with Recovery Tool 6.0.0.3049.
 
Make sure the device can connect to PolicyServer, otherwise Launch File Explorer may not work.
Connect the Ethernet cable that reaches the PolicyServer. The Recovery Tool only supports Ethernet. If the device does not have an Ethernet port, use dock or external ethernet card (USB) which will also work.

The Recovery Tool displays the Unable to Repair Device status if it requires an administrator account to perform the repair. Additionally, it adds the Extensive Repair option to the screen.

  1. Use the Advance Repair or Extensive Repair.
  2. If the Recovery Tool successfully repaired the disk, it shows the following:
    • Remove the Recovery Tool.
    • Reboot or shutdown and try again.
  3. Back up the important data using the Launch File Explorer using the Recovery Tool 6.0.0.3343.
    1. Copy the necessary files from harddisk under /mnt to the USB under /mnt.
      The directory structure is similar in Windows (e.g. /mnt/sda1/Document Settings/user1/, /mnt/sda1/windows/, /mnt/sda2/DATA/)
    2. Copy to USB or external HDD (e.g. /mnt/usb/Disk 2/Partition 2/).
    3. For SED or Hardware Encryption, try Unlock SED if preboot does not work.
  4. If you have encountered any issues, do the following:
    1. Take a screenshot or video recording of the boot issue.
    2. Take a screenshot of the repair error.
    3. Collect the CDT logs.
    4. Provide the following information:
      • Does preboot still work?
      • Is it device-encrypted or fully encrypted?

To decrypt the disk or copy the data, user may decrypt the device/disks using the recovery console in preboot or move the disk (which is not supported in FDE 5.0 Patch 4).

Option A. Decrypt the device using the recovery console in preboot

Below are the requirements:

Follow the procedure:

  1. Boot into preboot, login to recovery console.
  2. Decrypt the device/disks.
  3. Restore Boot Partition (Remove preboot) after decrypted.
  4. Remove the remaining FDE files in Windows. Do not run the MsiExec.exe without the restore boot partition.
                MsiExec.exe /X{17BACE08-76BD-4FF5-9A06-5F2FA9EBDDEA}

Another option it to boot with the RecoveryTool_6.0.0.3218_Run_Preboot.iso to see if the preboot can be shown.

Option B. Move the disk (not supported in FDE 5.0 Patch 4)

Below are some items to consider:

  • User can move the disk to another device (with FDE 6.0 installed) in the same PolicyServer group.
  • FDE database is still healthy, which means Advance Function is working or Extensive Repair is successful.
  • This option may not work when connected through a USB adapter.

Follow the procedure:

  1. Plug in the disk to the target device.
  2. Boot up the machine.
    The new disk will be detected when DraService.exe starts running. A system tray notification will show.
  3. Connect to PolicyServer to request the disk.
  4. Reboot the machine to access the disk. The data of this disk can be accessed on that device.
  5. Back up the important data.

If the methods above did not work, submit a SEG case to create a special decrypt CD. See How to collect necessary information for decrypt disk.