A few months ago I started investigating the latest techniques for building a dual boot system. I was interested in Windows 7 and Windows Server 2008 R2. There is a wrinkle. I wanted to boot one of them using “boot from vhd” AND use Bitlocker.
The Corporate Mandate
Bitlocker is a required security component for Microsoft assets. Because all of our products are moving to 64 bit versions and Hyper-V is the only Microsoft virtualization technology currently capable of executing 64 bit virtual machines, the software mix was decided for me.
The problem is that you cannot “boot from VHD” an operating system that is on an encrypted drive or partition. Ah ha! That’s the key. You can either partition your drive, or use a second drive to store the .VHD file that contains the second OS you want to make available for boot. I chose the later.
I have a laptop that allows me to have two hard drives in it. I simply pull the CD/DVD drive out and pop in a hard drive adaptor and second hard drive. This is the standard configuration for Microsoft presenters because we typically load the OS and apps on drive C:, and store data (virtual machines) on drive D:.
So in this dual boot configuration, I built a demo environment for the upcoming Windows 7, Windows Server 2008 R2 and Exchange 2010 launch events. Windows 7 is installed on drive C: (100GB drive). Windows Server 2008 R2 is installed into a .VHD file on Drive D: (320GB). After I confirmed that dual boot config was working, I kicked off Bitlocker in Windows 7 and encrypted the entire contents of drive C:. Again, I verified dual boot was working. At this point R2 does not have access to the contents of drive C:. We can fix that.
During the Bitlocker initiation and encryption process, you’ll be prompted for the storage of a recovery password/key. One of the options is to store the information on a USB memory stick. That is the option I used. In order to access the encrypted information from R2, you’ll first need to install the Bitlocker feature in Server Manager. After that, you can access the drive contents using the USB stick and recovery key.
Here’s the summary of the steps to accomplish the above:
- Install Win7 first. I used the demo platform from http://wdt. This is the Microsoft Windows Demo Toolkit (WDT) available to employees and partners.
- Install R2 into the .vhd on a second drive (multibay) or partition using the WIM2VHD script. See http://blogs.technet.com/keithcombs/archive/2009/06/17/automating-boot-from-vhd-os-installation.aspx for some information on that. The script when done dismounts the VHD.
- Attach the VHD and assign it a driver letter. This can be done using the GUI Disk Manager or via the command line with diskpart.
- From an elevated cmd console, enter Bcdboot <driveletter>:\windows for the location of the R2 mounted image. Bcdboot is part of the AIK installed in the WDT image.
- Test dual boot
- Turn on Bitlocker and encrypt C:. Make sure to have a USB stick handy for storage of the recovery key.
- Test dual boot after encryption is complete.
- Boot up R2 and install the Bitlocker feature.
- Access the files on the encrypted drive from R2 using the USB stick and the recovery password.
- If you are planning on running the Hyper-V role, most likely you’ll need to fix the BCD store. Use the “bcdedit /set hypervisorlaunchtype auto” command from an elevated instance of cmd.
This design will work very well for my demo environment or my production work environment. I can fully encrypt the contents of my documents on drive c: and not worry about the contents of the machine is stolen. That happens.
The last thing you want to have happen to you when you have a room full of 300-1000 people, is to have a hard drive crash on you and be forced to send everyone home. To prevent that from happening, I routinely clone my drives with a backup/recovery tool. Since we are using Bitlocker, you need to use a Bitlocker aware utility.
Windows 7 Ultimate includes full “System Image” backup and recovery. When the backup is created, the resulting data is not encrypted. Therefore, the restore will not be encrypted.
The BCD store remains intact after the restore so the only real difference is the status of Bitlocker. That is of course easily solved if desired. The backup feature I used is easily accessed under Control Panel and if you squint really hard, you can see the “Create a system image” task in the top left corner of the screenshot. This process was called Complete PC Backup and Recovery in the Windows Vista era.
So there you have it. A dual boot machine that will run Windows 7 or R2 and Hyper-V. This is a great design for your production environment or setting up a demo environment. Enjoy.