Windows 10 Two W10 Systems with Bitlocker

MartinD

New Member
Hi,

I am struggling with this installation and looking for help from somebody that already did it.

I am using Lenovo ThinkCentre with my TV as primary "Internet" computer. Because I have almoust empty 1 TB Nvme drive I had the idea that I will shrink my boot volume (the only one on disk) and create cecond 250 GB volume for second "secure" W10 copy. So now I have dual boot system with 1-st Standard W10 and second boot option Secure W10. This Secure W10 is for ebanking there is litterally nothing on it except Edge with a fiew links to banks and it is ment to be like these. But for further security to prevent some malitious software from standard W10 to mess with secure w 10 volume I wanted to enable bitlocker on W10 secure volume. I have many times with discrete tpm, firmawe tpm, tpm disabled. Hours of encrupting and than restring whole partition from backup and encrypting with some settings changed and again. It always fails the same way, after bitlocker accepts encryption, generates recovery key it reboots to check is computer fully capable and imadietly blue screen shows asking for recovery key (with both tpm modes) or password when TPM is disabled, than kind of thinks for a 2-3 seconds, black screen appears, white dots in a circle are starting to roll and again 2-seconds and hardware reboot always. And if you restart and restart again after 3-4 times it says this W10 installation has serious errors and offers standard W10 recovery menu which of course doesn't help. I can't find in Internet is it possible to install bitlocker this way. Like 95% treads are about mixing W10 with Linux, addinf 3rd party bootloaders ect. This case with only 2 W10 on one hdd on separate volumes looks simple but I am not even sure is it supported by w10 in this particular configuraton.
Ideas:
1 - Bitlocker creates automatically small recovery partition as last on HDD (shrinking these 250GB) so we kind of have standard UEFI partition and than kind of 2 recovery partitions 1 for each system. I don't know maybe bootloader does not understand that each W10 has it's own recovery partition?
2 - Problem of W10 TPM ovnership. There is this process of taking ownership of TPM by W10. Of course I only tried TPM with W10 secure but in general what happens when W10 takes ovnership? All keys are ereased from TPM? If so it will kind of prevent having more than 1 bl fully encrypted W10 system on a computer? But here idea was only 1 W10 secure system and this system owns TPM all the time.
Question:
1 - Anybody successfully instaled 2 W10 like these? If not on single HDD maybe on 2 HDDs that can be for example even enabled/disabled in BIOS (haven't tried it this way yet but it should work w/o TPM 100%, not sure with TPM anabled again this ownership thing).
2 - The same thing with extenal USB 3.0 + NVme with clean W10 installation done in Rufus (not checked yet waiting for nvme disk to arrive) is it possible to encrypt whole boot volume? This works slower over usb but with nvme fast enough.
Martin
 

Neemobeer

Cyber Security Engineer
Staff member
This seems like a lot of work for little benefit. I'd just do a single install and use adequate security software. For added protection use two accounts, one standard and one administrator. Use the standard for day to day activity.
 
Top