Setting up a Microsoft Surface Pro 4 for Dual Boot with Windows 10 and Fedora 32

Including SecureBoot, LUKS2 encryption, and BitLocker

3 June 2020

While there is a plethora of Linux distributions, most of us end up choosing only one as their main daily driver. Personally, I have been working on Debian most of my UNIX/Linux life. After a little bit of Unix and SuSE Linux, I started my Debian journey when I had to set up servers for some of the projects I was working on. Later, Ubuntu became my go-to desktop distro for software development.

Recently, I decided to try a different Linux distribution as my daily driver. After some consideration, my vote went to Fedora 32.

I hadn't planned to turn this into a blog post, but after a request on Twitter, here's my write-up of what I did - or remember doing - to set up my Surface Pro 4 (i7, 256GB SSD, and 16GB RAM) with Fedora 32 and Windows 10.


The main goals I had in mind were related to avoid the most common Linux annoyances that I had run into in the past.

  • WiFi must be stable.
  • BitLocker Recovery must not prompt me for the key every time I start Windows.
  • The setup must be fully encrypted. That is, BitLocker on Windows, LUKS2 on Fedora, and SecureBoot enabled.
  • Touchscreen should work under Linux.
  • Hibernate/Suspend/Sleep should work reliably.

Before You Start

Before you start, there's a few things to know to avoid surprises.


I recommend having a read through the following links prior to starting the installation process. My write-up here is complimentary to them.


In order to make this setup work smoothly, make sure that Windows' BitLocker is turned off. This is crucial in avoiding a situation where the BitLocker Recovery screen would otherwise pop up every time you boot Windows.

Further, remember to back up your BitLocker Recovery Key when you enable BitLocker at a later stage (after Fedora is installed). I highly recommend binding your Microsoft account to your Windows login, because you will be provided with an option to back up your BitLocker key to your Microsoft account, and it only works if you use your Microsoft account to log in to Windows.

Once backed up, you can then access the key at any time at It's really practical for when you occasionally make changes to the secure boot setup (due to kernel upgrades, boot sequence changes, and so on).

You can enable BitLocker (again) once your Fedora setup is complete.

If you forget this step, you will have to 'fix' SecureBoot/BitLocker by rebooting Windows after the installation process is done. There, disable and re-enable BitLocker again. For obvious reasons, it is better to disable BitLocker before installing Fedora or any other Linux distro.


Some blogs suggest turning off SecureBoot for this procedure. From my experience, this is not necessary, as long as you turn off BitLocker before you install Fedora. You may at a later stage be required to enter the BitLocker key should you make subsequent changes to UEFI or install a new kernel, but those times of entering the recovery key are one-offs.

GRUB Config

Try not to edit the GRUB configuration file /boot/efi/EFI/fedora/grub.cfg directly. This is also mentioned in the file itself:

# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub

If you wish to re-generate the configuration file, use grub2-mkconfig:

sudo grub2-mkconfig -o /boot/grub2/

Touchscreen OR Surface Pen

The linux-surface kernel installation instructions mention that you can get either the touchscreen or the surface pen to work (with libwacom-surface). This was something that really irritated me after installing the kernel. So keep in mind that the surface pen is the default enabled choice, and you can have only one of the two working at a time.

The latest kernel works with either single-touch OR pen support (you have to choose one or the other). By default pen support is enabled.

As this is only mentioned later on in the official installation instructions, I thought I'd point it out at the beginning of mine.

USB Flash Drives

Your USB Flash Drives should have at least 8GB each. If you need to buy some, I'd recommend buying a SanDisk Cruzer 32GB USB 2.0 drive. They're AUD $7.88 at OfficeWorks, only $2 more than the 16GB version. And they're available in different colors.

For Fedora, you can use Fedora Media Writer, or you can just download the Fedora ISO file and use Rufus to create the bootable device. I was using the latter. There are plenty of instructions for either of the two, including YouTube videos.

If you intend to get rid of the Windows recovery partition and/or do a fresh Windows install, get another USB drive with at least 8GB. Then pop over to Microsoft's Windows 10 ISO Download Page. Use the Windows Media Creation Tool to create the drive.


When I attempted the dual boot install the first time and wanted to shrink the windows partition for that purpose, I noticed that I could not shrink all available space, but only about 70GB of my 256GB SSD. The system files had fragmented too much over time. More about potential issues with shrinking volumes in Windows can be found here.

In addition, the recovery partition was a thorn in my eye because I simply wanted that space dedicated to Fedora, so I ended up performing a fresh install with the Windows Media Creation Tool and getting rid of the recovery partition. Armed with a Windows installation flash drive I can always just re-install when needed.

If you go down that route, just create your Windows Flash Drive, boot into it, and delete all partitions to combine all unallocated space into one. Then partition the unallocated space as desired.

Alternatively, choose to create a single partition to install into, and shrink the Windows partition after the fresh install. With the partition being brand new, you should not run into any issues shrinking it.


Before you consider installing Fedora, I recommend booting into the live distro from USB. Try a few things, get familiar with the package manager (dnf), and perform a system upgrade. This was my approach and after experimenting with it for a while and installing the most important tools into the live distro, I was convinced and chose to install it.

Another aspect to consider is Fedora's release schedule. While it is my first Fedora installation, the more bleeding-edge approach to packages makes a lot of sense to me. You should consider your own experience with Linux before you choose Fedora over Ubuntu, Mint, or any other distro. Just trying the live distros prior to installing any of them permanently is probably the best advice to give here.

Just trying the live distros prior to installing any of them permanently is probably the best advice to give here.

Further, the plain and bare GNOME just appeals to me. I use the Super key to search-and-run any software, or to bring up the terminal. I don't need a UI, and when I do, that's for the settings. After a few days working on Fedora 32 I have to say that I absolutely love having zero desktop icons. On Windows, they're mostly covered by the windows I open, and even the smallest dock or task bar takes away valuable screen real estate.

Lastly, my workflow often involves multiple workspaces/desktops. In Fedora, I just press the Super key and can then choose between the apps, or I press Super + Alt + Arrow Down/Up to switch desktops.


Change Boot Sequence

Your first step should be to change the boot sequence. Therefore, bring up the UEFI boot menu as follows:

  1. Switch off/shut down your Surface.
  2. Hold the Volume Up button on your Surface.
  3. While still holding the Volume Up button, press the Power button on your Surface.
  4. Release the Power button when the Surface logo comes up.
  5. After a while, the UEFI Boot menu should pop up.
  6. Go to the Boot section and move the USB Storage option to the top.
  7. Plug in your Fedora 32 Flash Drive
  8. Exit the menu.

Try Fedora

If you reboot with the Fedora USB flash drive inserted now, you can now boot into the Live Fedora distro and give it a try first.

Disable BitLocker in Windows

  1. Boot into Windows 10
  2. Open the Explorer
  3. Right-click on your Windows hard-drive
  4. If BitLocker is enabled, there will be a menu item "Manage BitLocker". If BitLocker is disabled, the context menu option is "Turn on Bitlocker". No need to do anything in that case, obviously.
  5. Choose "Manage Bitlocker" and disable it. Then get yourself a coffee.
  6. Back up stuff
  7. Press Windows + R
  8. Enter dskmgr.exe
  9. Shrink Windows Partition

Install Fedora 32

Insert the Fedora Live USB flash drive and reboot.

  • When the Fedora menu pops up, select Test this media and install Fedora
  • In Installation Summary, select Installation Destination
  • Select Custom
  • Select LVM as partitioning scheme
  • Select Click here to create them automatically
  • Modify partition size if necessary (e.g. I assigned more to /home than to /root). If you want to give one partition the remaining space, just enter a very large number. It will be automatically adjusted.
  • Enable encrypt and select LUKS2 encryption for /root
  • Enable encrypt and select LUKS2 encryption for /boot (not the /boot/EFI one!)
  • Enable encrypt and select LUKS2 encryption for /home
  • Click Done and enter a password. Better not to forget that one.
  • Continue Installation

The rest is pretty straightforward. Once the installation is complete, remove the USB drive, boot into your permanent Fedora installation and have a look around.

Note that if you chose to encrypt the partitions as instructed above, you will be prompted with a password input. You need your encryption password from the previous step here.

Upgrade Fedora

The first thing you should do once you have booted up is to upgrade the system. No matter how new your ISO file was, there may (will!) be some updates available.

Therefore, run a system upgrade by opening a terminal and typing:

sudo dnf upgrade

Optional: RPM Fusion

I recommend installing RPM Fusion to enable free and non-free packages from that repository.

# For Bash
sudo dnf install$(rpm -E %fedora).noarch.rpm$(rpm -E %fedora).noarch.rpm

For example, in order to install the proprietary h264 codec, which is not available via the main Fedora repo, run this afterwards:

sudo dnf install x264


You may notice that not everything is working

  • Touchscreen is not working
  • Pen is not working
  • Wifi might stop working on sleep or be otherwise unreliable

The above issues can be fixed with the linux-surface kernel installation. Remember that you will have to choose between the pen (enabled by default) and the touchscreen after the linux-surface kernel is installed.

Install the Linux Surface Kernel

In order to install the linux-surface kernel, first introduce the repository to DNF.

sudo dnf config-manager --add-repo=

Now install the required packages as follows.

sudo dnf install kernel-surface surface-firmware surface-secureboot
sudo dnf install --allowerasing libwacom-surface

At some point during the installation, you will see some output similar to this:

# Output
  Preparing        :                                                        1/1 
  Running scriptlet: surface-secureboot-20200402-1.fc32.noarch              1/3 
  Installing       : surface-secureboot-20200402-1.fc32.noarch              1/3 
  Running scriptlet: surface-secureboot-20200402-1.fc32.noarch              1/3 

The secure-boot certificate has been installed to:


It will now be automatically enrolled for you and guarded with the password:


Note the message It will now be automatically enrolled for you and guarded with the password.

You should now see the new kernel as an option using grubby.

[andreas@localhost ~]$ sudo grubby --default-kernel
[andreas@localhost ~]$ sudo grubby --info=ALL
title="Fedora (5.6.14-300.fc32.x86_64) 32 (Thirty Two)"
title="Fedora (5.6.14-1.surface.fc32.x86_64) 32 (Thirty Two)"


Now I thought it was time to reboot. Indeed, the new kernel was set as the default option in GRUB2. Selecting it, however, I ran into two errors: Invalid signature and You need to load the kernel first.

Given the output in the previous step saying that It [the certificate] will now be automatically enrolled, I was surprised to see the Invalid signature message. Clearly, something was wrong with SecureBoot not being able to validate the kernel entry because of a missing certificate.

To list enrolled certificates, type the following in a terminal:

sudo mokutil --list-enrolled

To fix the enrollment issue, reboot and choose one of the other kernel (stock kernel) options.

Enroll Certificate

You can create your own certificate (see instructions for the JakeDay kernel, for example). More simply though, just use the one created in the previous steps. While it wasn't enrolled successfully, it was still created under /usr/share/surface-secureboot/surface.cer, so just go with it if you like.

sudo mokutil --import /usr/share/surface-secureboot/surface.cer

# enter password (let's say 'surface')

# Verify: 
sudo mokutil --list-enrolled

Now mokutil should list the certificate. If that is the case, you can reboot.

You'll get a blue screen with a menu.

Select Enroll MOK.

The next step allows you to view the key or continue. Have a look at the key if you like and then press ESC to leave that screen. Finally, choose Continue and confirm the enrollment.

When asked for the key password, enter whichever password you chose (in this example we used surface).

Now reboot. Next time you select the linux-surface kernel option from the boot menu, it should successfully boot up Fedora 32 with the Surface kernel.

When Fedora is up and running, type uname -a in a terminal to confirm. You should get some output similar to this:


After a few days of using Fedora,

  • The Surface Pen works fine. The touchscreen is not enabled, as explained previously in this blog and here. I haven't tried switching to touchscreen yet.
  • Bluetooth works fine for me at this stage. I had not tried it before installing the linux-surface kernel so can't comment on whether it worked before. But I was able to connect to my Bluetooth headphones without any problems.
  • WiFi is stable
  • I have not tested a setup with external monitors yet.
  • There may be an issue with sleep/hibernate. The screen did not come back once after suspend. Not a big issue for me, but noteworthy. It has not occurred again yet.
  • Power-offs were quite slow. By changing a firewall setting, I was able to work around this issue.
  • I have performed one automatic system update successfully, and the linux-surface kernel was updated from version 5.6.14 to 5.6.15. This is the only time I had to enter the BitLocker Recovery Key when booting into Windows.

Overall, Fedora feels very snappy on my Surface Pro 4, and I am very content with my choice of using it as my new daily driver.

Share this article