Wednesday 17 May 2017

Add a BitLocker encrypted Windows 10 To Go OS to Easy2Boot

Windows 10 1703 (Build 15063) or later will mount all formatted partitions of a USB Removable media Flash drive.

This means we can not only boot from a flat-file installation of Windows 10 now, but because we can create a multi-partition USB flash drive, we can also encrypt the Windows volume using BitLocker.

Windows 10 will allow us to MBR-boot (not UEFI-boot) to an encrypted volume either by entering a short password (e.g. 8 characters or more) or by inserting a USB flash drive containing a .BEK key file for the encrypted volume.

MBR boot to a BitLocker WinToGO VHD

E2B cannot directly boot from an encrypted BitLocker VHD. We must use the windows bootmgr+BCD files to boot from a BitLocker VHD.

1. Download WinToUSB and BootIce v1.3.4 or later (not 1.3.3).
2. Use WinToUSB to make a MBR\Legacy single partition NTFS WindowsToGo drive using a VHD (e.g. 20GB VHD) using a spare (fast USB 3) Removable Flash drive
3. Boot from the Flash drive, setup Windows, and enable BitLocker with password entry as detailed below. You may find it easier to boot using VBox+VMUB so there is no TPM detected by Windows when you convert the volume to BitLocker.
4. Drag-and-drop the USB flash drive letter icon onto the MPI_NTFS desktop shortcut to make a new .imgPTN file.
5. Make the file contiguous and switch to the new image (\MAKE_THIS_DRIVE_CONTIGOUS.cmd + SWITCH_E2B.exe).
6. Use BootIce v1.3.4 to tweak the Disk, Partition and Boot File settings as required. Ensure the >>> button setting is 'MBR: BitLocker'.

The image should now be bootable.

UEFI+MBR WinToGo VHD + Bitlocker

It is also possible to create a FAT32 .imgPTN23 file containing the EFI and \boot windows boot files and keep your encrypted VHDs on the 2nd partition of your E2B USB drive.

1. Use WinToUSB to create a non-GPT UEFI+MBR USB drive (paid for version only)
2. Setup Windows and enable BitLocker (see below)
3. Make a .imgPTN file (100MB or more) from the partition containing the system boot files
4. Copy the VHD file to the 2nd partition of your E2B drive
5. Use BootIce v1.3.4 to edit the two BCD files to point to the VHD file on the 2nd partition.

If your E2B drive does not have a 2nd partition, you could create an NTFS partition file by dragging and dropping a folder containing just the VHD file (not the VHD file itself) onto the MPI_NTFS Desktop shortcut. You would then have:

WinToGoBitlocked.imgPTN   (100MB FAT32 partition image with boot files)
WinToGoBitlocked                 (NTFS image containing the large VHD file)

MBR boot to 'flat-file' WinToGo


I suggest that when you boot to the Windows installation on the USB drive, you use a Virtual Machine such as VBox, because that will not have a TPM in it. This means you will always be prompted to use a BitLocker boot password and use software encryption which is what we need if you want to boot on a range of different systems.

Note: if you have configured your USB drive as an IDE or SATA drive in a Virtual Machine (e.g. VBOX+VMUB), Windows will not boot in 'Windows-to-Go' mode because it does not think it is running from a USB drive but a real IDE/SATA Hard disk - so instead it will boot in full Windows mode and create a page file, etc.


1. Create an empty folder on your Desktop called EMPTY

2. Drag-and-drop the EMPTY folder onto the MPI_NTFS Desktop shortcut - enter 500 for the size - name=WIN10TOGO.imgPTN (you cannot use FAT32 - BitLocker requires NTFS)

3. Repeat step 2 but choose a large size (e.g. 20000 = 20GB) for your Windows volume - name=WIN10TOGO   (no file extension).

4. Copy the two files to your E2B USB drive \_ISO\WINDOWS (make sure there is plenty of free space!), run \MAKE_THIS_DRIVE_CONTIGUOUS.cmd and then use \_ISO\SWITCH_E2B.exe to switch to the new Win10ToGo.imgPTN file.

If SWITCH_E2B.exe wants to re-order the two files, say No as it is not necessary for MBR-booting on Windows 1703.

5. Run WinNTSetup and set up as below:

Point to ISO file, set 500MB drive and 20GB drive and pick Edition.
  • Use the Set location of Windows installation files - Search button to load the Windows 10 ISO file as a virtual drive and automatically find the install.wim file
  • Set the Boot drive as the 500MB volume on the USB drive
  • Set the Installation drive as the large 20GB volume on the USB drive
  • Set the Edition to Pro or Ultimate (not Home as it does not support BitLocker)
  • Click the F button and re-format the large 20GB volume as NTFS to remove the E2B files. Do NOT format the 500MB volume!
  • You can use the Tweaks >>> button to configure Windows (e.g. disable page file)
  • Click on Setup and set 'Do NOT update the boot code' + ALL
  • Click OK to start the process

Boot to WindowsToGo

6. When finished, you can boot via the E2B CSM menu (option 1) and setup Windows 10 as usual.

I set up an offline account with a password.

7. Restart Windows (this is necessary for the TPM option in the next step to be enabled)

Make  sure Windows is stable and all Windows updates have been installed. This usually takes 6 or so reboots and 3GB+ of downloaded updates! If you don't do this, but install bitlocker immediately, the updates may break the OS!

Tip: Now may be a good time to make a backup of the two image files.

8. Tap WINKEY+i - (type 'edit group') and select Edit Group policy - System - Administrator Templates - Windows Components - Bitlocker Drive Encryption - Operating System Drives - Require Additional authentication at startup - Enable - Allow BitLocker without a compatible TPM = tick.

See here for more info.

9. When Setup has completed, tap WIN+I -  (type 'manage bitlocker') - Control Panel Manage Bitlocker - Turn BitLocker on for drive C: - (insert a USB flash drive) - save to file on flash drive - set a Password - Encrypt using disk space only (first option) - Compatible mode (second option) - untick the 'Run system check' option - encryption will begin immediately. 

Make sure you save the key to a different flash drive.

Wait for encryption to finish - click on BitLocker taskbar icon for progress report.

WARNING: If the 'machine' has a TPM (most modern computers do have a TPM) you will not be offered the chance to enter a password, but instead given a PIN option. To be able to boot on different systems, you MUST set a password. Do not proceed unless you enter in a password (twice to confirm).

I recommend booting on a VM so that no TPM will be available and you will be able to set a boot password before you encrypt.

If you do not get the option to enter a password or you don't want to set up a VM, use a real system and the powerful manage-bde program as follows:
9.1 WINKEY+X - Powershell as Admin
9.2 Type  CMD and press ENTER to get to command shell as Administrator
9.3. Insert a spare USB flash drive (e.g. F:)
9.4 Use the manage-bde command (see below) to force it to use a password and software encryption

This will save a recovery key to flash drive on F: and ask for a password (at least 8 characters - the longer, the safer!)...

C:\Windows\system32>manage-bde -on c: -pw -fet Software -rp -RecoveryKey F:\
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [WIN10]
[OS Volume]
Type the password to use to protect the volume: XXXXXXXX
Confirm the password by typing it again: XXXXXXXX
Key Protectors Added:

    Numerical Password:
      ID: {5F0C883A-7BD3-4485-AD2C-A11665DD192C}

      ID: {669EDBB2-381A-4859-B2E2-09C3AFF2E29A}


    1. Save this numerical recovery password in a secure location away from
    your computer:


    To prevent data loss, save this password immediately. This password helps
    ensure that you can unlock the encrypted volume.

    2. Restart the computer to run a hardware test.
    (Type "shutdown /?" for command line instructions.)

    3. Type "manage-bde -status" to check if the hardware test succeeded.

NOTE: Encryption will begin after the hardware test succeeds.

IMPORTANT: Make a note of the numerical recovery key (cut and paste into a .txt file) - if you need to repair the OS you will need it!

9.5 You will need to reboot and use the password. Encryption will then begin.
Copy the .BEK file generated on F: to a safe place. Don't forget the password either!
You can store more than one .BEK key file on the same USB flash drive - BitLocker will find the right one automatically even if not in the root.

9.6. You can use manage-bde C: -status to check on things (or click on the task bar icon). 
Ensure it lists 'Password' as one of the Key Protectors.

C:\Windows\system32>manage-bde C: -status
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [WIN10]
[OS Volume]

    Size:                 25.19 GB
    BitLocker Version:    2.0
    Conversion Status:    Encryption in Progress
    Percentage Encrypted: 41.7%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        External Key
        Numerical Password

See here for details on manage-bde.

9. Test: Remove the USB flash drive and reboot - enter the BitLocker password when prompted.

10. Test: Insert the USB flash drive and reboot - you should not be prompted for a password.

Tip: Edit the \menu.lst file and add  timeout 5 near the top so that it will boot to the Bitlocker password prompt after 5 seconds.

Some UEFI mainboards (e.g. Asus Z87) are capable of UEFI-booting to an NTFS partition.

Note that Windows will auto-update after a few reboots, this can cause the computer to slow up a lot. Performance should improve once all updates have been installed.

11. Finally, we need to modify the \menu.lst inside the .imgPTN file so that the 3rd partition is seen by Windows whenever we switch to it. Add the following line to the top of the \menu.lst file (i.e. the large \menu.lst file - not the small \menu.lst on the E2B partition):

parttype (hd0,2) 0x7

Note that if you are UEFI-booting, you may need to run the CSM menu first so that the partition is seen by Windows or use Switch_E2B.exe to switch partitions.

Moving the .imgPTN files to a different E2B drive

For the sake of speed, if you have a nice fast E2B USB SSD drive, you can prepare the partition images using that and then, at a later date, you can copy the two image files to your E2B Removable USB drive (you will need to use BootIce 1.3.4 to adjust the \Boot\BCD file if there are boot issues - e.g. BSOD 0xc000000e).

BootIce - BCD - Other BCD File - Easy Mode
Note: An encrypted NTFS partition is listed as 'FAT32' by BootIce.

I have not used my BitLocker installation much, but a few times something (I suspect Windows Update) broke the OS and I had to reinstall - I suggest you take a backup of the partition image files just before you start encryption, for safety!

Good luck!

BootIce 1.3.4

If you get a BSOD 0xc000000f  \Windows\Systeme32\Winload.exe error , you may need to use BootIce v1.3.4 or later which has an extra >>> button (see picture below).

Ensure that the MBR0: (BitLocker) option is selected.

Also, to boot from a BitLocker VHD, you cannot use the Boot Disk: LOCATE VHD setting, you must specify the disk and partition as shown below.

No comments:

Post a Comment