Ramblings from another nerd on the grid
A few months ago I started investigating the latest techniques for building a dual boot system. I was interested in Windows 7 and Windows Server 2008 R2. There is a wrinkle. I wanted to boot one of them using “boot from vhd” AND use Bitlocker.
The Corporate Mandate
Bitlocker is a required security component for Microsoft assets. Because all of our products are moving to 64 bit versions and Hyper-V is the only Microsoft virtualization technology currently capable of executing 64 bit virtual machines, the software mix was decided for me.
The problem is that you cannot “boot from VHD” an operating system that is on an encrypted drive or partition. Ah ha! That’s the key. You can either partition your drive, or use a second drive to store the .VHD file that contains the second OS you want to make available for boot. I chose the later.
I have a laptop that allows me to have two hard drives in it. I simply pull the CD/DVD drive out and pop in a hard drive adaptor and second hard drive. This is the standard configuration for Microsoft presenters because we typically load the OS and apps on drive C:, and store data (virtual machines) on drive D:.
So in this dual boot configuration, I built a demo environment for the upcoming Windows 7, Windows Server 2008 R2 and Exchange 2010 launch events. Windows 7 is installed on drive C: (100GB drive). Windows Server 2008 R2 is installed into a .VHD file on Drive D: (320GB). After I confirmed that dual boot config was working, I kicked off Bitlocker in Windows 7 and encrypted the entire contents of drive C:. Again, I verified dual boot was working. At this point R2 does not have access to the contents of drive C:. We can fix that.
During the Bitlocker initiation and encryption process, you’ll be prompted for the storage of a recovery password/key. One of the options is to store the information on a USB memory stick. That is the option I used. In order to access the encrypted information from R2, you’ll first need to install the Bitlocker feature in Server Manager. After that, you can access the drive contents using the USB stick and recovery key.
Here’s the summary of the steps to accomplish the above:
This design will work very well for my demo environment or my production work environment. I can fully encrypt the contents of my documents on drive c: and not worry about the contents of the machine is stolen. That happens.
Backup and Restore
The last thing you want to have happen to you when you have a room full of 300-1000 people, is to have a hard drive crash on you and be forced to send everyone home. To prevent that from happening, I routinely clone my drives with a backup/recovery tool. Since we are using Bitlocker, you need to use a Bitlocker aware utility.
Windows 7 Ultimate includes full “System Image” backup and recovery. When the backup is created, the resulting data is not encrypted. Therefore, the restore will not be encrypted.
The BCD store remains intact after the restore so the only real difference is the status of Bitlocker. That is of course easily solved if desired. The backup feature I used is easily accessed under Control Panel and if you squint really hard, you can see the “Create a system image” task in the top left corner of the screenshot. This process was called Complete PC Backup and Recovery in the Windows Vista era.
So there you have it. A dual boot machine that will run Windows 7 or R2 and Hyper-V. This is a great design for your production environment or setting up a demo environment. Enjoy.
There is a cool program called VHD mount that adds the option to add/remove the vhd file to boot menu when you right click on any .vhd file It's much easier than BcdEdit with the complex guid numbers on the command line.
Your article was very informative. You seem to be the only one who knows how to use Bitlocker on a VHD.
...but as usual, I have a question:
Since a vhd runds independently of the host os, you could put your hard drive with the vhd in any computer and have your os with all your settings, options etc... but HOW would you get the boot menu option to use it? Would it be automatic or can the bios set up a boot menu?
If there is a way to boot directly in to the VHD (without the multi-boot menu) I wonder why it can't be put on a USB drive for easy use anywhere?
Here is something I noticed while testing my VHD that I had not read anywhere:
* You can simply copy your desktop icons from your host OS (d:/users/name/desktop)
to your VHD Desktop and run the programs you have installed WITHOUT setup...
although you will have to set some preferences the first time you run them. I'm
amazed this works. I never read about it - but my experiments show it works. You
won't have the program files you have installed under "All Programs" but you can
boot into your host os and create desktop shortcuts for any programs you want
to access from VHD's without going throght the install/setup process THEN copy
them to your VHD desktop. They are even registered! I don't know how it uses this information that is almost always stored in the HOST os registry. I am confused as to how it this works. The VHD must be writing a lot more info to it's registry than hardware drivers ...but the first time you run Windows 7 from the VHD you have to go through the entire install process, even entering registration key etc. It doesn't appear to use the HOST registry.
See step 3 and 4 above for the HOW to add an entry in the BCD store and have it show up at boot. That's the easiest way I know of. There are others.
Thanks for the tips - I tried to do something similar to this with xp and truecrypt and failed miserably. I did find out a lot more about the internals of Windows7 boot process though so the whole thing wasn't wasted.
Thanks for the article - very useful, as with most of your other posts. Can you give me the fully qualified URL for http://wdt? As a partner a "demo toolkit" could come in very handy. -Thanks!