Configuration of BCD store using EasyBCD can result in noncompliance for Bitlocker

#1
Hello, I've been a fan of EasyBCD for many years and have always found it to be an incredibly useful tool. I still don't know what Microsoft was thinking when they designed the user interface to bcdedit...

Unfortunately I seem to have stumbled upon a couple of issues with EasyBCD. I'll discuss the first one here and create a new thread for the second issue.

The first relates to configuring a Vista Ultimate system to enable Bitlocker to protect the boot drive. The issue is a resulting "partition=\boot" entry in {bootmgr} instead of (as required by Microsoft for Bitlocker to function) a "partition=<drive-letter>:" entry).

Here are the steps I used to cause Bitlocker to fail to operate when using EasyBCD to configure the BCD store and how I worked around the issue. Step #7 is where I suspect EasyBCD has the issue:
  1. Started with a fully functional, dual booting workstation with a primary hard drive with 3 partitions (configured with EasyBCD 1.7.2). Partition #1 contained Vista Ultimate, partition #2 contained user files and partition #3 contained Windows 7 Ultimate. Although likely not important, I had originally used EasyBCD 1.6 (years ago) to configure a dual boot with partition #3 containing a second Vista Ultimate partition for testing purposes, then several months ago installed Windows 7 Ultimate on partition #3 (clean install) and this time used EasyBCD 1.7.2 to configure the dual boot.
  2. Backed up all 3 partitions using Seagate Disk Wizard (Acronis backup software).
  3. Using diskpart in a preinstall environment (booted from USB) repartitioned the drive to create partition #1 with 1.5GB of storage (as required for Bitlocker), and partitions #2 and #4 to roughly the same as the original #1 and #3 (less 750 MB each). The new partition #3 was essentially identical to the original partition #2 (shifted by 750MB).
  4. Restored both the primary and secondary operating systems with Vista (now partition #2) as the active partition (as it was originally when it was partition #1).
  5. Used EasyBCD to correct the BCD entries so Windows 7 was identified as on partition #4 (the backup software modified the BCD entries so Vista was correctly identified on partition #2 but failed to get the 2nd boot on partition #4 correct).
  6. Tested the system to make sure both Vista (partition #2) and Windows 7 (partition #4) would both boot properly. They did.
  7. At this point I used EasyBCD 2.1 to "change the boot drive" from partition #2 to partition #1 and made sure the BCD entries were configured to correctly boot both Vista and Windows 7, now using partition #1 as the "System/Active" drive.
  8. Checked to ensure that partition #1 was the active drive as well as test booted both Vista and Windows 7. Everything appeared to be configured and functioning correctly. When each was booted I also checked the disk configuration to ensure the System, Active, Boot, Crash Dump, Hiberfile, and Pagefile were where they were supposed to be (and they were).
  9. At this point the system "should" have been fully ready to enable Bitlocker since the new 1.5 GB "System" partition was being used to load both Vista and Windows 7 and my workstation now fully met ALL of Microsoft's Bitlocker requirements.
  10. Unfortunately when I then attempted to enable Bitlocker I was confronted with the error that the BCD entries were corrupt and non-compliant for Bitlocker and that Bitlocker could not be enabled.
  11. After several hours of research and interaction with Microsoft, including attempting to repair the operating system using Microsoft's repair tools (only to end up having to use EasyBCD again to get both operating systems functional again without Bitlocker), I eventually stumbled upon the issue in a technet document. It turns out that EasyBCD creates the entry "partition=\boot" for the BCD identifier "{bootmgr}" when "moving the boot drive" and while this is "functional" for booting a non-Bitlocker protected operating system, it is not fully compliant as far as Microsoft is concerned and causes the Bitlocker configuration inspection to fail.
  12. To get Bitlocker to work I had to use Microsoft's (horrible) bcdedit to change the partition entry for {bootmgr} to "partition=S:" (partition #1 has the drive letter "S" assigned on my workstation). As soon as this was manually performed, Bitlocker worked flawlessly and the dual boot configuration also continued to work properly.
Please take a look at this issue and consider changing the BCD partition entry for {bootmgr} to a drive letter instead of \boot as this will allow EasyBCD to be compliant as far as Bitlocker is concerned. I should note that making this change manually (with bcdedit) still allowed both Vista and Windows 7 to boot correctly so this should not negatively impact anyone (not to mention that according to Microsoft "partition=\boot" is apparently non-compliant and "partition=<drive-letter>:" is compliant).

Thank you.
 

mqudsi

Mostly Harmless
Staff member
#2
Hiya HT. I won't repeat my thanks about a detailed bug report - you can see my other post for that.

Now on to business: This is a bug. But not in the way you think.

It should say partition=boot (note: boot, not \boot) or just boot (no partition).

Microsoft has some rather confusing undocumented behaviors for their bootloader. There are many distinct options available for the "set device ..." flag. In particular, EasyBCD uses

  • partition=x:
  • boot (NOTE: boot without any partition before it)
  • partition=boot
  • ramdisk=...
  • vhd=...
  • locate

I cannot recall off the top of my head the difference between "boot" and "partition=boot", but when/if I do, I can post back.

I don't know how you ended up with partition=\boot which is very wrong indeed. I will need to review the code to see how that happened. You don't want to use partition=x: for the {bootmgr} entry, as in most cases the boot partition is an invisible 100mb partition without a drive letter.