VeraCrypt - Windows boots Automated Repair on UEFI/GPT

Question

OK. So I used VeraCrypt to encrypt the system partition and now Windows boots its automated repair only. After the repair in what I think is Windows Recovery Environment I can choose to boot off USB and THERE I can choose to boot the VeraCrypt loader.

I used BOOTICE (latest version) to modify the UEFI boot entries to boot the VeraCrypt loader in the first place by choosing "Active", "Boot this entry next time" and by placing VeraCrypt in the first position on the list using the "Up" button. When I restart the PC, UEFI boots the VeraCrypt Loader as it should but when I switch off the PC and on again, UEFI boots to the Windows Boot Manager which loads the Windows Automated Repair again. This description is probably somewhat inaccurate because I don't exactly know how UEFI booting works [recommend me a good read ;)]. Obviously in my UEFI (in BIOS) I can't find the VeraCrypt boot option, there's only the Windows Boot Manager and EFI shell to choose from. How do I insert the VeraCrypt loader there? I have secure boot disabled.

I also tried to use Windows BCDEdit cmdlet but it is a no go (it does not see the VeraCrypt loader). Neither is Visual BCD Editor. My system is MSI H81-P33 & i5-4690K with the latest BIOS. Only BOOTICE somehow works.

Maybe the workaround would be to just modify the Windows Boot Manager to boot the VeraCrypt loader instead of the Windows loader? Is it a possible solution? How do I do that?

BOOTICE unmodified boot entries screenshot:

Answer 1

OK, I came up with a solution and it works even after I switch off the computer. In BOOTICE I modified the Windows Boot Manager to load "\EFI\VERACRYPT\DCSBOOT.EFI" (the VeraCrypt loader) instead of the original Windows loader (\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI) and saved it. I only modified "Media file:" text field in BOOTICE. When I reopened BOOTICE to see if the change sticked I noticed that there are now 2 separate Windows Boot Manager entries: the original (which I presume Windows automatically recreated after I changed it) and the one I changed with the VeraCrypt loader path.

My UEFI (BIOS) now sees 2 separate Windows Boot Manager entries (which are named the same, no need to change that I guess). I hope it doesn't compromise my security and Windows performance in any way. And I hope any future Windows Updates won't mess with my solution.

I realize this is a "dirty" solution, so it would be nice if someone made up with sth better.

Answer 2

My description no longer works for Windows 1709. There are better results with:

https://github.com/th-wilde/veracrypt-w10-patcher

Note, as future Win10 update can bypass the patch, including major security patches that alter the firmware, there is no guarantee the machine will always work, such as with the way Truecrypt works with Win7. While you can recover and roll back to the last good OS, it can take much time. Bitlocker works without issue or in Win10 Home, use Veracrypt in file container mode which is reliable and transportable.

Answer 3

[ THIS POST IS OBSOLETE. FOR HISTORICAL PURPOSES ONLY AS EXAMPLE OF THE DIFFICULTY GETTING EARLY VERSIONS OF VC TO RUN]

2On an InsydeH20 V5.0 UEFI "BIOS" running on Acer E5-575:

Install all latest Win10 updates

Boot to UEFI, press F2 on Acer machines at 2x sec during boot

Turn secure boot off [ A on pics] set it as 'disabled'

IMPORTANT in UEFI: set System Admin and user passwords [1 on pics], and set Password on boot option. Do not set hard disk password as it may interfere with Win10 updates. Admin and user password on UEFI will stop all Win10 reboots at UEFI/BIOS interface so you can interrupt auto-boots to troubleshoot Veracrypt faster, and stop direct writes to UEFI by malware

Run Veracrypt 1.19 disk partition encryption

If it fails one pass, do it again. It should pass the 2nd + attempt. If not boot via rescue disk. This is because UEFI doesn't recognize the location or the file itself "veracryptb", the bootloader, in the hard disk as "trusted."

If Veracrypt fails still: STOP, and proceed only if you know UEFI, Veracrypt and Win10 well as written below.

* If Veracrypt fails still, but boots on rescue disk proceed with caution as noted above. *

Complete Veracrypt full disk encryption

Once completed, and reboots, enter UEFI/BIOS

Turn ON secure boot [ A on pic], it allows edits to boot files list to mark 
them 'trusted' [2 on pic]

Edit secure boot file list

On the boot order screen, locate veracrypt and move it to the top of the
boot priority order.  Move Windows Boot Manager to near bottom [B on pic].

Turn Secure Boot off, the Veracrypt bootloader will remain at the
top and the list of bootloaders is now not editable

Reboot 

Enjoy.

NB: Secure boot must be off permanently because the Veracrypt signature does not reside in a separate UEFI secure boot table in firmware. You can generate one and enter it, as described in the Veracrypt forum or run without secure boot. I suggest leave SECURE BOOT OFF as the Veracrypt signature generating script has bricked some UEFI/BIOS. A malware bootloader cannot run in the UEFI because to boot, it must be added to trusted list which can be done only with SECURE BOOT ON to edit the boot file trusted list; malware cannot do that without the UEFI Admin password to change the UEFI settings from SECURE BOOT OFF. So far, rootkit malware cannot run below or at the UEFI preboot level, as we know today, to hack the admin password in UEFI, so it remains secure even with SECURE BOOT OFF. With SECURE BOOT ON, if the malware signature adds itself to the trust list it still does not exist in SECURE BOOT table in firmware so cannot run. However, Veracrypt has a script to add its signature to the firmware trust table [ with mixed results] so its possible for malware to do the same with SECURE BOOT ON. Malware may boot if its tries to mimic the trusted files in UEFI InsydeH20 table with SECURE BOOT OFF if InsydeH20 doesn't use signatures to secure its integrity. The prior post shows another user renamed veracryptb to Windows Boot Manager and booted, showing mimic ploy can work for the Windows Boot Manager. However its not easy to mimic the veracryptb bootloader due to the keys generated during the creation of the secure partition that is unique to each bootloader, a mimic will likely fail to boot into veracrypt. The above applies only to the INsydeH20 UEFI implementation, for your UEFI, YMMV.

Do not edit the TPM state unless you are sure. If the signatures cannot be generated on-the-fly or are factory supplied only, clearing the state may brick the PC [ 3 on pic].

Answer 4

"VeraCrypt Setup 1.23-Hotfix-2.exe" works reliably with Windows 10 Home, after 6 months of testing which includes:

• weekly security updates
• two major feature updates, 1809 and 1903

No customization of the UEFI needed. Just follow the Veracrypt install instructions. Has worked under normal Win10 Home and available menu options, no special changes, scripts or hacks of the registry.

However, YMMV depending on your UEFI version and non-Acer devices, as others on the Veracrypt forum still raise issue. I am unclear as to why their settings do not work, they did not provide enough technical detail.

Tested with:

Default factory configuration on both for TPM and UEFI. The prior post of InsydeH20 V5.0 was reset to factory and remains original UEFI, not updated but passwords are set for altering UEFI.

1. InsydeH20 V5.0

2. Acer BIOS Version/Date actually American Megatrends Inc R01-A3, 5/16/2018

Please set the ADMIN PASSWORD of your device to add assurance that no changes are made to UEFI without your expressed knowledge, and use a password unknown to Windows. UEFI specifications support direct writing into UEFI from an external device/app given permissions, and in some reports, Windows feature updates have set some UEFI settings back to default, its unclear if the local ADMIN PASSWORD was set or was bypassed. In any event, setting the password is a good safety feature. You may also toy with setting the hard drive password, if available, as added assurance against 'evil maid' attacks; while the UEFI can write to such drives to set and read the drive password, the drive lock runs proprietary firmware that resides in the drive [ aka, Seagate, Toshiba, WD etc.,] and cannot be controlled by UEFI.