iamcal.com

0

Installing Windows 7 with BitLocker on a MacBook Air

By Cal Henderson, February 8th 2015.

I have performed this procedure on a MacBookAir6,1, the 11-inch early-2014 model, but it will likely work on other models too.

There are 2 things which make installing Windows 7 with BitLocker problematic, and you need to understand these before starting:

  1. BitLocker requires an extra partition to boot from. MBA's come with 3 partitions already defined (Boot, OSX and Recovery). Once you add one more for BootCamp, you're at 4. This is the maximum limit for normal paritions on the SSD. If you try and add another partition via OSX, you can't. If you try and add another partition via Windows, you'll be prompted to change the drive to a Dynamic disk (from a Basic disk, the default). Do not do this. It will brick your machine. The trick to getting BitLocker to work is to remove one of the existing partitions. This tutorial removes the Recovery partition, but in my tests this also breaks OSX. Only follow these steps if you intend to use Windows only.
  2. Since MBAs don't have a TPM (Trusted Platform Module), BitLocker must boot with a USB key present. Unfortunately, the MBA hardware does not allow USB drives to be recognized by the BitLocker boot loader. As a result, you will need to enter your 48-digit recovery key every time you reboot (only a full reboot triggers this - not a sleep or hibernate). Don't follow the steps below unless you are ok with doing this.

The Steup

  1. Boot into OSX. This guide assumes you're using 10.10 (Yosemite), but should be similar for other versions. Make sure your OSX is up to date first, so you have the latest EFI and SMC firmware upgrades. You will not be able to install further upgrades after this process is complete.
  2. Convert the main OSX volume from Core Storage to a regular volume. This step may not be necessary, but I encountered problems later on when I skipped this. Other guides talk about merging the recovery partition with the main OSX partition, but this is not possible with Yosemite - the partitions are no longer simple and cannot be merged.
    • Open "Terminal" (in the Utilities folder)
    • diskutil cs list
    • There should be a "Logical Volume" with a long hexidecimal code. Under this volume, it should say "Revertible: Yes". If you already enabled FileVault, then you'll need to disable it (and maybe reinstall OSX).
    • diskutil cs revert [LONG-HEX-CODE]
    • This should turn the main partition into a non Core Storage volume. you can verify this with another diskutil cs list
  3. Remove the recovery partition. While this sounds drastic, it's not. On modern macs, you can perform an Internet recovery by holding down Command-R during boot. This will download OSX from the Internet, so it's impossible to truely brick your Mac this way.
    • Open terminal
    • diskutil list
    • One of the volumes listed will have a type of Apple_Boot. Remember the volume name, likely disk0s2.
    • diskutil eraseVolume HFS+ Blank /dev/disk0s2 (make sure you use the name of the recovery volume!)
    • Open "Disk Utility" (in the Utilities folder)
    • Select the now-visible volume called "Blank"
    • Go to the 'erase' tab and erase the volume (make sure it's the "Blank" one)
    • Now select the drive itself, the 'partition' tab, and remove the Blank partition
  4. Create an ISO of the Windows 7 DVD. In theory you can download these from Microsoft, but I was unable to. If you have an external DVD drive (you can get one for $20), then you can use "Disk Utility" to make an ISO. Select the DVD, click "New Image" and then choose "CD/DVD Master" as the format. It will create a .cdr file, but you can just rename it to .iso once it finishes - they are the same thing. Making a Windows 7 Ultimate ISO took about 30 minutes for me.
  5. Find a USB stick to make the bootable installer. Although the image is only 3.5GB, you'll need a stick which is bigger than 4GB. Who knows why. Make sure you insert it into the left-hand USB slot (as you look at the screen). This slot is much faster.
  6. Use the "BootCamp Assistant" (in the Utilities folder) to create the bootable USB stick. you will need to point it at your ISO file and wait while it copys the data and downloads the required drivers. This will take about an hour. If your Internet drops out, you will need to start over again.
  7. When BootCamp Assistant comes to create partitions, takes as much space as possible for Windows, leaving the minimum (roughly 40 GB) for OSX.
  8. Reboot when prompted and start the Windows Installation. This will take about an hour.
  9. Once Windows boots up, open "Computer Management" and select "Storage" > "Disk Management". Disk 0, the SSD, should contain 3 volumes (blue headers) and a block of unallocated space (black header). If you see 4 blue sections, you messed up removing the recovery partition and will need to start over.
  10. Open "Edit Group Policy", then choose "Local Computer Policy" > "Computer Configuration" > "Administrative Templates" > "Windows Components" > "BitLocker Drive Encryption" > "Operating System Drives". Modify these keys:
    • "Require additional authentication at startup" - Enable
    • "Choose how BitLocker-protected operating system drives can be recovered" - Enable
  11. Open "BitLocker Drive Encryption" and turn on BitLocker for your C: drive. The wizard will want a USB drive to add the startup key to. It will create a hidden file. It will also prompt to save a recovery key. Put it on the same USB drive. Before proceeding, open the recovery key file and copy the 48 digit number (8 groups of 6 digits) somewhere safe. Putting it into your Dropbox-backed up 1Password key chain is a good idea.
  12. The BitLocker wizard will now prompt to perform a disk verification. Let it perform this step and then reboot. During boot, you'll get the BitLocker boot screen saying that you need to insert your USB key. This is not possible, since the boot loader only recognizes the root USB hub, which neither extenral port is attached to in a MBA (the root hub attaches to the camera and to a secondary hub which hosts the two external ports. As a result, you will need to hit Enter and then type in your 48 digit code. You will need to do this on every boot.
  13. Once Windows starts, BitLocker should start to encrypt the drive (a small window will show progress). If it does not, open "BitLocker Drive Encryption" and try and encrypt the drive again (a new key will be created - make sure you save it!), but skip the verification step. Wait for the disk to be fully encrypted.
  14. Reboot again and ensure you can enter the recovery code and boot.
  15. Congratulations, you now have Windows 7 with BitLocker running on a MacBook Air. Now sit back and install a million Windows update packages.

Some Notes

For some reason, even though the OSX partition remains (it'll mount under Windows as the D: drive), you will be unable to boot into OSX. Holding down "option" during boot will bring up the OSX boot menu, but only Windows will be listed as a choice.

To recover OSX on the machine, you will need to wipe away everything on the disk. Make sure you back up all of your Windows files before doing this. Then hold down Command-R during boot and OSX will perform a (very slow) net boot and allow a re-format and re-install.

I've tried various tricks to get the USB key recognized during BitLocker boot (including creating the key from OSX as a GPT partition), but the issue is the BitLocker does not have the driver necessary to see the USB hub, rather than a problem with the key itself. If you have a solution for this, please let me know!

Be the first to comment

Comments have been disabled