Keith Combs' Blahg

Ramblings from another nerd on the grid

Windows 7 Dual Boot Revisited with Bitlocker

Windows 7 Dual Boot Revisited with Bitlocker

  • Comments 5
  • Likes

windows7_bloglogo A few months ago I started investigating the latest techniques for building a dual boot system.  I was interested in Windows 7 and Windows Server 2008 R2.  There is a wrinkle.  I wanted to boot one of them using “boot from vhd” AND use Bitlocker.

The Corporate Mandate

Bitlocker is a required security component for Microsoft assets.  Because all of our products are moving to 64 bit versions and Hyper-V is the only Microsoft virtualization technology currently capable of executing 64 bit virtual machines, the software mix was decided for me.

The problem is that you cannot “boot from VHD” an operating system that is on an encrypted drive or partition. Ah ha!  That’s the key.  You can either partition your drive, or use a second drive to store the .VHD file that contains the second OS you want to make available for boot.  I chose the later.

I have a laptop that allows me to have two hard drives in it.  I simply pull the CD/DVD drive out and pop in a hard drive adaptor and second hard drive.  This is the standard configuration for Microsoft presenters because we typically load the OS and apps on drive C:, and store data (virtual machines) on drive D:.

Demo Heaven

So in this dual boot configuration, I built a demo environment for the upcoming Windows 7, Windows Server 2008 R2 and Exchange 2010 launch events.  Windows 7 is installed on drive C: (100GB drive).  Windows Server 2008 R2 is installed into a .VHD file on Drive D: (320GB).  After I confirmed that dual boot config was working, I kicked off Bitlocker in Windows 7 and encrypted the entire contents of drive C:.  Again, I verified dual boot was working.  At this point R2 does not have access to the contents of drive C:.  We can fix that.

During the Bitlocker initiation and encryption process, you’ll be prompted for the storage of a recovery password/key.  One of the options is to store the information on a USB memory stick.  That is the option I used.  In order to access the encrypted information from R2, you’ll first need to install the Bitlocker feature in Server Manager.  After that, you can access the drive contents using the USB stick and recovery key. 

Here’s the summary of the steps to accomplish the above:

  1. Install Win7 first.  I used the demo platform from http://wdt.  This is the Microsoft Windows Demo Toolkit (WDT) available to employees and partners.
  2. Install R2 into the .vhd on a second drive (multibay) or partition using the WIM2VHD script.  See http://blogs.technet.com/keithcombs/archive/2009/06/17/automating-boot-from-vhd-os-installation.aspx for some information on that.  The script when done dismounts the VHD.
  3. Attach the VHD and assign it a driver letter.  This can be done using the GUI Disk Manager or via the command line with diskpart.
  4. From an elevated cmd console, enter Bcdboot <driveletter>:\windows for the location of the R2 mounted image.  Bcdboot is part of the AIK installed in the WDT image.
  5. Test dual boot
  6. Turn on Bitlocker and encrypt C:.  Make sure to have a USB stick handy for storage of the recovery key.
  7. Test dual boot after encryption is complete.
  8. Boot up R2 and install the Bitlocker feature.
  9. Access the files on the encrypted drive from R2 using the USB stick and the recovery password.
  10. If you are planning on running the Hyper-V role, most likely you’ll need to fix the BCD store.  Use the “bcdedit /set hypervisorlaunchtype auto” command from an elevated instance of cmd.

This design will work very well for my demo environment or my production work environment.  I can fully encrypt the contents of my documents on drive c: and not worry about the contents of the machine is stolen.  That happens.

image Backup and Restore

The last thing you want to have happen to you when you have a room full of 300-1000 people, is to have a hard drive crash on you and be forced to send everyone home.  To prevent that from happening, I routinely clone my drives with a backup/recovery tool.  Since we are using Bitlocker, you need to use a Bitlocker aware utility.

Windows 7 Ultimate includes full “System Image” backup and recovery.  When the backup is created, the resulting data is not encrypted.  Therefore, the restore will not be encrypted.

The BCD store remains intact after the restore so the only real difference is the status of Bitlocker.  That is of course easily solved if desired.  The backup feature I used is easily accessed under Control Panel and if you squint really hard, you can see the “Create a system image” task in the top left corner of the screenshot.  This process was called Complete PC Backup and Recovery in the Windows Vista era.

So there you have it.  A dual boot machine that will run Windows 7 or R2 and Hyper-V.  This is a great design for your production environment or setting up a demo environment.  Enjoy.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • There is a cool program called VHD mount that adds the option to add/remove the vhd file to boot menu when you right click on any .vhd file   It's much easier than BcdEdit with the complex guid numbers on the command line.

    https://brentf.com/blog/software/misc/VHDMount.exe

    Your article was very informative.  You seem to be the only one who knows how to use Bitlocker on a VHD.  

    ...but as usual, I have a question:

    Since a vhd runds independently of the host os, you could put your hard drive with the vhd in any computer and have your os with all your settings, options etc... but HOW would you get the boot menu option to use it?  Would it be automatic or can the bios set up a boot menu?

    If there is a way to boot directly in to the VHD (without the multi-boot menu) I wonder why it can't be put on a USB drive for easy use anywhere?

  • Here is something I noticed while testing my VHD that I had not read anywhere:

    * You can simply copy your desktop icons from your host OS (d:/users/name/desktop)

    to your VHD Desktop and run the programs you have installed WITHOUT setup...

    although you will have to set some preferences the first time you run them.  I'm

    amazed this works. I never read about it - but my experiments show it works.  You

    won't have the program files you have installed under "All Programs" but you can

    boot into your host os and create desktop shortcuts for any programs you want

    to access from VHD's without going throght the install/setup process THEN copy

    them to your VHD desktop. They are even registered!  I don't know how it uses this information that is almost always stored in the HOST os  registry.   I am confused as to how it this works.  The VHD must be writing a lot more info to it's registry than hardware drivers ...but the first time you run Windows 7 from the VHD you have to go through the entire install process, even entering registration key etc. It doesn't appear to use the HOST registry.

  • See step 3 and 4 above for the HOW to add an entry in the BCD store and have it show up at boot.  That's the easiest way I know of.  There are others.

  • Thanks for the tips - I tried to do something similar to this with xp and truecrypt and failed miserably. I did find out a lot more about the internals of Windows7 boot process though so the whole thing wasn't wasted.

  • Thanks for the article - very useful, as with most of your other posts.  Can you give me the fully qualified URL for  http://wdt?  As a partner a "demo toolkit" could come in very handy. -Thanks!