Bitlocker and multi-booting

McKnife
CERTIFIED EXPERT
Published:
Browse All Articles > Bitlocker and multi-booting
If you are asking yourself "will Bitlocker allow me to install several encrypted instances of windows 10 on the same drive?", here is your answer.
McKnife

I remember that when I tried to setup multi-booting with two bitlocked instances of Windows 10, I was skeptical if this would even be possible. The documentation that I found didn't explicitly say so and if there's one thing that my long-term experience has taught me, it's that things people wouldn't normally do are often the hardest to set-up.


So back then, I set up a virtual machine with windows 8.1 and tried it out. To my surprise, it worked without the slightest problem. So this article is showcasing the steps you need to take. it's almost self-explanatory when you do it, but nevertheless, as with any encryption or partitioning operation, I urge you to make sure that you have a working backup, first.


Ok, let's start with the obvious: why would we even want this?

Imagine, you have two sons, Jack and Joe. Each one should have his own Windows installation and his own computer privacy. How can you achieve real privacy? Only with encryption! Now imagine you wouldn't like to buy two machines, but, you let them share one computer... how can you achieve two encrypted instances of Windows on one machine? That is exactly what this is about.


Then, what was I using for making this tutorial?


  • Hyper-V on win10 1903 (just FYI - Hyper-V is not needed in any way, it was just useful for the tutorial)
  • Guest OS': 2x win10 pro
  • Partitioning type: UEFI (default)
  • a (virtual) TPM


The scenario

Let's assume you already have encrypted your first windows instance and you want to install another.

First, you will need to make sure to provide enough space on your drive. Even for a test, you would need at least 30 GBs of free space. You may shrink your encrypted hard drive via disk management without needing to decrypt it, by the way. The next screenshot shows an empty partition with nearly 60 GBs of unformatted space.



Now boot setup and you will be asked where to install windows. You will select the unallocated space and select "new", set the size and click "apply" and afterward click "format" with that same partition still selected. Afterward, either install Windows and encrypt when you feel like it, or, even better, encrypt your second Windows right now using the pre-provisioning process I describe here: How to manually pre-provision Bitlocker which will tell you what benefit pre-provisioning offers and teaches you the commands.


After installation, startup your 2nd Windows for the first time. Guess what the boot screen will look like... You will be given the choice between "Windows 10" and "Windows 10" - Hmmm... luckily, setup has pre-selected the one that is about to finish installing, so don't worry, just let it boot, we will modify those identifiers later on.


Having booted and dealt with the usual region and telemetry settings, you will finish setting up the encryption and print out the recovery key as described in my other article. Then you open explorer and confirm that your c: drive shows the lock icon, while the system drive of your first windows instance is also present, but overlayed by a closed-lock-icon.



It's up to you to decide whether you'd like to share that drive between installations or not.

In this tutorial, I am pretending to set this up for your 2 kids - they will be able to use one machine, each having his own installation, not willing to let the other mess with it. So it would be best to go to disk management (diskmgmt.msc) now and remove that drive letter of the other installation, so it will not even be shown in explorer (right click d: and select Add/remove drive letter and then remove it). You will need to do the same for your other installation, as well.


In the case that you want to share the drive between installations, you will need to unlock it now using the recovery key of your first installation (double-click d: and enter your recovery key). Afterward, you may select "Turn on auto-unlock" via the context menu option in "Manage BitLocker".


Ok, so let's go back to the thought of having two kids that would love to have some privacy for their own installation of Windows. What will they need? They need a secret pre-boot PIN - one each.


So you will open gpedit.msc (available only on windows 10 pro and enterprise) and navigate to

->computer configuration - windows components - BitLocker - Operating system drives

->then configure the policy "require additional authentication at startup" according to the following screenshot:



After doing so, the policy should become effective immediately after closing gpedit.msc.

So right click c:, select "Manage BitLocker" and select "Change how the drive is unlocked at startup"


You may enter a PIN now (6 digits at least). You will, of course, have to do the same in the first instance of windows as well, so that both your kids have their own secret PIN. As parent, make sure you have a print-out of the recovery key or save it to a file in your own backup, just in case.


Great, now the last thing you need to do, is set distinctive names for these installations and then try to boot them. Let's call them "Joe's Windows" and "Jack's Windows" for this example. To do so, open an elevated command prompt (right click cmd .exe and select "run as administrator") and launch the command


bcdedit


Like in the next screenshot, you will see the following situation with two instances of windows, both named "Windows 10".



Luckily, Windows marks the currently booted one with an identifier "{current}", so we can't miss it.

Let's say, the currently booted installation is meant for Joe, the other for Jack, then you would need to launch the following two commands:


bcdedit /set {current} description "Joe's Windows 10"
bcdedit /set {00281a9e-93dc-11e9-b0c8-8bb35cf374d5} description "Jack's Windows 10"


(please note, that depending on what your screen shows, the 2nd identifier will be different from my example - different numbers or it might read "{default}" as well)


Checking your work

And that's it. Now reboot and see what happens. You will be asked for a PIN and this will be the PIN of the OS that you installed as 2nd OS, here, Joe's PIN. You enter it and now you will be presented the following choice:



So that OS we booted before stays pre-selected and will boot automatically unless we choose the other one. That's how Joe needs to proceed to get to his OS. Jack would have to select "Press F11 to choose an alternate operating system" since he does not know Joe's PIN - as seen in the following screenshot:



Afterward, he may select "his" OS:



and will be asked for his PIN.

Let me clarify one thing: Joe gets a choice of selecting either his own or Jack's installation after he enters his PIN. But if he selects Jack's installation, he is asked for Jack's PIN as well, which will stop him from booting that other windows.


Conclusion

I have shown you an example of how to configure two Windows instances on the same machine, each one is perfectly isolated from the other, with each kid (user) having his own secret PIN to access it and you, with the recovery keys of both still having a master key in case they forget their PIN.


That’s it. If you have questions, feel free to ask a related question in the forum.

0
7,317 Views
McKnife
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.