windows

How to boot Bitlocker Encrypted VHDX beside Ventoy

Ventoy is a great Multi-Boot USB tool, however, booting bitlocker encryptd VHD(x) is not supported. Luckily, there is a workaround..

Yaqoob AL-Hajri

3 min read
How to boot Bitlocker Encrypted VHDX beside Ventoy

Ventoy is a great and handy bootloader that supports booting multiple file types including VHD(x).

However, I could not get it to work for Bitlocker encrypted VHDXs, if the disk is encrypted, the windows boot manager complains about not finding winload.exe.

So the workaround here is to do native VHDX boot from the Windows Boot Manager that is directly booted from UEFI without using Ventoy. In essence, when the UEFI Firmware starts, we have two entries, one to boot into Ventoy, and the other to boot the windows bootloader which can handle encrypted VHDX properly.

However, the original EFI partition that Ventoy creates is too small to fit the windows EFI files and we can not control its size.

Ventoy EFI partition is only 32MB (hardcoded)

What we can do instead is redesign the partition layout and create our own EFI system partition. When we first install Ventoy, we can instruct it to preserve some space at the end of the disk.

Partition layout after preserving space ant the end of the disk

Then we need to create an EFI System partition which will hold the windows boot files. Right-click on the unallocated disk space > New Simple Volume. We need to format the partition as a FAT32 filesystem.

New partition layout

(Important) We now need to mount the VHDx file so we can later tell bcdboot where the windows directory is to copy the files to the EFI partition in the next step.

Now in a command prompt:

bcdboot D:\Windows /s E: /f UEFI

"D:\Windows" is the windows directory inside the VHDX file. Substitute for the correct drive letter.

"E:" is the newly created EFI partition that will hold the EFI files. Substitute for the correct drive letter.

Now all is done. We reboot to check the boot configurations. Because we now have two FAT32 partitions that both have valid boot files, by default, the UEFI firmware will try to boot from the first FAT32 partition, which is the Ventoy partition. We can add a second custom boot option using the second FAT32 partition from the UEFI boot configurations. Every firmware is different on how to do this, but most do have some way of adding a custom UEFI boot option.

Success! We can now boot bitlocker encrypted VHDXs and have ventoy installed on a single disk.

Notes:

  • The FAT32 partition that will hold the windows boot files has to be a primary partition not a logical partition, otherwise booting windows will fail.
  • This should only work on UEFI boot environment, legacy bios has not been tested.