Add "Windows 10" (with Bitlocker encrypted) boot entry to GRUB

Question

I have a dual boot system with Windows 10 & Ubuntu Unity 23.10. My main system is the Ubuntu system, but from time to time i have something todo on Windows.

Currently im switching with the BIOS/EFI quick boot menu.

How can i add a "Windows" entry in GRUB that starts the Windows partition/os? Both systems have dedicated ssd. Windows = sda, Ubuntu = sdb.

I tried to add the Windows entry to /etc/grub.d/40_custom and rebuild the grub.cfg with update-grub:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
#menuentry "Windows 10" {
#    insmod part_msdos
#    insmod ntfs
#    set root='(hd0,msdos1)' # Anpassen Sie dies entsprechend Ihrer Windows-Partition
#    chainloader +1
#}
#76EC965EEC961887
#sudo blkid /dev/sda1
menuentry 'Windows 10' {
    search --fs-uuid --no-floppy --set=root 76EC965EEC961887
    chainloader (${root})/EFI/Microsoft/Boot/bootmgfw.efi
}

The problem with the config above, is that it says Error: File >/EFI/Microsoft/Boot/bootmgfw.efi< not found. (Answer from here: https://askubuntu.com/a/977251)

The commented entry:

#menuentry "Windows 10" {
#    insmod part_msdos
#    insmod ntfs
#    set root='(hd0,msdos1)'
#    chainloader +1
#}

Says something similar: Invalid EFI file path:

What/where i do have to point grub that i can start my Bitlocker encrypted Windows OS? I do not use any TPM module, just a password/passphrase.

The question/answer from here How to add Windows 10 to grub boot loader? does not handle bitlocker encryption.

blkid output:

/dev/mapper/sdb3_crypt: UUID="Qa4U6U-NHWZ-43ls-yA4d-cjpe-msbA-LqFRCN" TYPE="LVM2_member"
/dev/mapper/vgubuntu--unity-swap_1: UUID="0011aea7-ca50-4b2c-a9f4-e3dca2d4a024" TYPE="swap"
/dev/mapper/vgubuntu--unity-root: UUID="b293f930-373e-4733-96f7-7859ec008691" BLOCK_SIZE="4096" TYPE="ext4"
/dev/sdb2: UUID="04d5a3a1-dd17-449b-a692-f4a4a24a11b7" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="9f5bcccd-6fe6-471d-aba2-8e44de44fbf4"
/dev/sdb3: UUID="84a67fde-1ef2-41d1-94b7-eacb88ab08ab" TYPE="crypto_LUKS" PARTUUID="8eba46c6-88dc-4f02-aa71-2ea90625d47d"
/dev/sdb1: UUID="4C36-1F97" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI System Partition" PARTUUID="c1bcdc04-4313-40dd-ba2a-27ac5c3d9423"
/dev/sda2: TYPE="BitLocker" PARTUUID="8b4480f4-02"
/dev/sda3: BLOCK_SIZE="512" UUID="3E564DDA564D9395" TYPE="ntfs" PARTUUID="8b4480f4-03"
/dev/sda1: LABEL="System-reserviert" BLOCK_SIZE="512" UUID="76EC965EEC961887" TYPE="ntfs" PARTUUID="8b4480f4-01"

I have tried to use the PARTUUID 8b4480f4-02, but it fails saying:

Error: no such device: 8b4480f4-02
Error: File >/EFI/Microsoft/Boot/bootmgfw.efi< not found

Answer 1

Currently im switching with the BIOS/EFI quick boot menu.

I would recommend you continue doing that. When BitLocker is configured to use the TPM and Secure Boot (i.e. the PCR7 binding mode), it doesn't like any intermediaries that aren't Microsoft-signed.

Aside from the one-time change in the boot chain (which will require the BitLocker recovery key), it'll use the more fragile PCR4 binding mode which will be invalidated by every GRUB update (and tends to get invalidated by Windows updates too), so you'll be entering the BitLocker recovery key a lot. (Of course, if you're using BitLocker with a passphrase, this doesn't make any difference; it'll just keep asking for a passphrase like normal.)

You can run efibootmgr --bootnext XXXX from within Ubuntu to pre-set EFI to boot straight into Windows once, without having to mess around with the EFI boot menu manually.

The problem with the config above, is that it says Error: File >/EFI/Microsoft/Boot/bootmgfw.efi< not found. (Answer from here: https://askubuntu.com/a/977251)

I would guess that you're specifying the wrong partition as $root – the UUID you've specified looks awfully like an NTFS UUID, and I doubt that your EFI System Partition is NTFS. Almost always it is FAT32 (and as you can see in the linked answer, FAT32 UUIDs are only half the length).

Instead of assuming /dev/sda1 is the correct one, try looking in all partitions for the actual file (or for the EFI directory) and use the UUID of whichever partition you found.

If the partition is in fact NTFS, then it's more likely that it's not an EFI boot partition but one for 'legacy' BIOS (which would explain the absence of Bootmgfw.efi). I'm not sure if you can chainload into that from within an EFI-based bootmanager at all, but either way you would need the "BIOS VBR chainload" chainloader +1 approach in that case.