How can I have two windows installs on separate drives and make sure one Windows install is not able to access files on the other drive?

Question

I am wanting to have two Windows 10 installs on a single machine, either on separate partitions or even separate physical drives.

I have not used self-encrypting drives before, so I am not sure if they would allow me to do this, but I am wanting to boot to each self-encrypting hard drive with a separate password and to make sure that it's impossible to access usable data on from one Windows install/drive on the other self encrypting drive/windows install. Virtualization is sadly not gonna cut it for my needs as I want maximum hardware performance and driver support.

How would I go about this? Could I create separate boot passwords in UEFI mode BIOS for each self encrypting SSD drive? Or is it best to just enable Bitlocker on either Windows Install and that would do the trick? Perhaps if I just don't initialize the other drive in either Windows install that would be enough?

I am looking to do serious work from one windows install/drive, while experimenting with various unsafe software on the other. As such I wouldn't want anything that I install on the drive where I will be installing unsafe software to compromise (read or write) data to my work oriented drive and Windows install.

Answer 1

I can't believe the "unsafe software" (asides from windows 10), needs "maximum hardware and drivers"?

This would typically be handled in a sandbox/burner/vm situation as mentioned above.

That said, anything with access to the physical machine, has access to the machine. I believe win10 has uefi hooks, so it would still make your machine susceptible to any exploits there.

Encryption would be your best bet, but that wouldn't mitigate a ransom attack, where your encrypted data is re-encrypted, nor a low level keylogger, or, or, or.

Answer 2

If you wish to experiment with operating systems and questionable software, using dual boot or separate disks will be very inefficient.

You need to restart to get into the experimental environment, and then if it breaks, you need to rebuild it. Very slow.

With a decent modern machine (and especially with SSD drives) you can build virtual machines that perform very well. I work here in a VM all the time.

Set up your Windows Pro host, then use VMware Workstation Pro (very flexible) or Hyper-V (comes with Windows Pro and decent but not as flexible as VMware). I have both on two different host computers. I mostly use VMware Workstation because I like the flexibility.

In terms of experimenting, you can make a backup of the VM, experiment as you wish and restore the backup when done.

Two things about this:

(A) If the questionable software is network capable, use a Host Only connection for your VM to isolate from your main host.

(B) If the experimentation is short term in nature, also consider using Windows Sandbox. This is a temporary Windows machine, isolated from the host and then it disappears on host restart.

Sandbox works best with Hyper-V although it should also work with the newest version of VMware Workstation Pro and Windows 11 Pro.

Sandbox is the same OS as the Host Machine (so Windows 10 if Host is Windows 10 and Windows 11 if Host is Windows 11). You may need a Windows 10 (or lower) VM if you are using a Windows 11 Host. That means the flexibility of Virtual Machines.

Answer 3

Unsafe software can mean many things and not necessarily what has been portrayed: conflicting drivers, multiple versions of same program, can all be unsafe meaning the can create instability that would impact operations/productivity if not done on a separate environment.

And there are also very good reason (even though they do not apply in most scenarios) no to go with a VM. A couple being: memory allocation locked in case it is required to pass-through a PCI device and perfomance/disk usage when using an encrypted filesystem (all space allocated, quickly backup the system image, etc.)

For example I've been struggling for 1+ year trying to have 2 separate NVMEs with indipendent Win systems both with bitlocker: one hosts a corp-issued windows image, second one my personal OS. I want both drives to be completely independent so whatever may happen I can:

• return the system to the company with its original drive/image after removing my personal one
• be able to install and access my personal nvme on another computer should I remove it for whatever reasons and at the same time keeping it encrypted in case the laptop gets lost.

Here's how I proceeded with both drive physically installed:

• Deploy corp image on drive 0. During winPE I removed the assigned drive letter to drive 1: corp policy encrypts everything non removable.
• Go to BIOS, disable drive 0 (it's not seen by the system at all), install personal image (didn't want windows to detect other install/boot manger but to be independent instead).

For a long time I had problem with bitlocker asking the key at boot; took me a while to understand it was because I use an external thunderbolt PCIe enclosre with 2 cards and had TB preboot activated: a change in the installed PCIe devices (docked/undocked) triggers the TPM->BitLocker.

But even now I disabled TB's PCIe preboot that keeps happening on my personal image and really can't understand why.

AS pet the original post/author: unless (if you can) you want to go in BIOS each time and enable/disable your non-test partition to make it invisible to the "unsafe" one, there's little you can do. Encryption will prevent software from unsafe disk to read the data of safe disk but not overwrite it.