Using rEFInd to boot Windows 10 with Secure Boot and Bitlocker encryption enabled

Question

I have a corporate laptop (HP Zbook 15) with two m2.sata drives:

• nvme0: the one that shipped with the computer, featuring Bitlocker encrypted Windows 10
• nvme1: a secondary drive running linux I use for development

Secure Boot cannot be disabled as Windows will ask for a Bitlocker key. I can successfully press F9 at startup to select either rEFInd (works great for choosing my distro) or Windows Boot manager (which automatically boots Windows 10 just fine).

I've tried the following entry for rEFInd and it takes me to a recovery screen (like this) prompting for the bitlocker key...

menuentry "windows" {
    icon    /EFI/refind/icons/os_win.png
    volume  31d21f1a-4ed3-46f4-b401-48756183db86
    loader  /EFI/Microsoft/Boot/bootmgfw.efi
}

If I enter UEFI BIOS entries, then select "Boot from file" and navigate to my MS partition, then EFI/Microsoft/Boot/bootmgfw.efi, it boots Win10 just fine.

Is it possible to emulate/chainload whatever the "Windows Boot Manager" does normally from rEFInd? It's really not a huge deal, I'd just like to use rEFInd directly both both Win/linux instead of having to press F9 whenever I want to boot Windows.

---

Some relevant information:

$ sudo bootctl

Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/f0efab19-3f41-d34c-b30b-071ed9d3529a)
         File: └─/EFI/BOOT/BOOTX64.efi

Boot Loaders Listed in EFI Variables:
        Title: rEFInd Boot Manager
           ID: 0x000B
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/f0efab19-3f41-d34c-b30b-071ed9d3529a
         File: └─/EFI/refind/shimx64.efi

        Title: Windows Boot Manager
           ID: 0x0012
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/31d21f1a-4ed3-46f4-b401-48756183db86
         File: └─/EFI/Microsoft/Boot/bootmgfw.efi

$ sudo blkid 
/dev/nvme0n1: PTUUID="fe7acdb6-21f2-405f-9eac-5fd4734bbe79" PTTYPE="gpt"
/dev/nvme0n1p1: LABEL="EFIBOOT" UUID="C432-A96A" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="31d21f1a-4ed3-46f4-b401-48756183db86"
/dev/nvme0n1p2: PARTLABEL="Microsoft reserved partition" PARTUUID="8f35a4b7-c9d0-4ca9-ac3b-68a7636e0527"
/dev/nvme0n1p3: TYPE="BitLocker" PARTLABEL="Basic data partition" PARTUUID="443943e8-e990-4505-9ec0-3d48a8ce179d"
/dev/nvme0n1p4: UUID="48F44FAAF44F9958" TYPE="ntfs" PARTUUID="d2a1a2b3-a85e-4a7c-a5c4-dd11a9c551dd"
/dev/nvme1n1: PTUUID="62ee1ebc-b1ba-f246-995c-01d88db34d56" PTTYPE="gpt"
/dev/nvme1n1p1: UUID="4D0C-BA2F" TYPE="vfat" PARTUUID="f0efab19-3f41-d34c-b30b-071ed9d3529a"
/dev/nvme1n1p2: UUID="a4b60c68-9638-487c-ae82-9e7dac7bf0ce" TYPE="ext4" PARTUUID="4bdcd743-9d09-2f41-9379-e5491e79ae9d"
/dev/nvme1n1p3: UUID="dc2c470e-ec77-43df-bbe8-110c678785c2" TYPE="crypto_LUKS" PARTUUID="dd250d2a-7173-3e4a-b026-f032a8809062"