In the past, setting up both FileVault encrypted macOS/OS X and BitLocker encrypted Windows on a Mac with Boot Camp required manually configuring the disk partitions in a specific way to work around limitations in the MBR (Master Boot Record) partition scheme. This now works by default using Boot Camp Assistant provided you have the following:
- a Mac that supports booting Windows in EFI mode (all Mac computers that support Windows 10)
- Boot Camp Assistant 6 or later (included in OS X El Capitan or later, and OS X Yosemite via update)
- Windows 8 or later
This is due to Boot Camp Assistant 6 using a different method to create the Boot Camp partition to support EFI booting for Windows 8 or later. The best explanation I have found is in the following article:
Modern Macs always boot via EFI, but Windows hardware has only recently started natively booting EFI. While there was some support for EFI booting Windows 7, Apple didn’t support EFI booting Windows until Windows 8. With the newest Apple hardware, Windows 8 or later is required, and EFI booting is the only way that Windows will boot on the Mac.
Usually you don’t have to worry about any of this, since Boot Camp Assistant and the Windows installer will set everything up correctly.
If you use Boot Camp Assistant to create the Boot Camp partition, you’ll get a standard EFI “guard” MBR
The hybrid MBR has an entry for each of the first 4 partitions. The guard MBR has only a single entry that covers the entire disk
The key that allows having both FileVault and BitLocker is Boot Camp Assistant creating a “guard” MBR with only a single entry.
Why this didn’t work previously
Older versions of Boot Camp Assistant create a hybrid MBR to support running Windows 7 and earlier in legacy BIOS mode. The MBR partition scheme, however, has a limit of four primary partitions, and the hybrid MBR set up by Boot Camp Assistant uses all four.
As BitLocker requires a second partition, a hybrid MBR set up by Boot Camp Assistant has no spare partitions available for BitLocker.
Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
Previous solutions worked around this by setting up the MBR manually.
Macs that support booting Windows in EFI mode
The Boot Camp Assistant configuration file (
/Applications/Utilities/Boot Camp Assistant.app/Contents/Info.plist) provides an indication as to which Mac models are supported:
<key>PreUEFIModels</key> <array> <string>MacBook7</string> <string>MacBookAir5</string> <string>MacBookPro10</string> <string>MacPro5</string> <string>Macmini6</string> <string>iMac13</string> </array>
According to this, Macs with a model identifier higher than those listed above will be set up to boot Windows in EFI mode.
This matches Apple’s official list of Mac computers that support Windows 10.
Note: Apple’s list of Mac models you can use with Windows 8.1 includes older models. Presumably, these will be set up in legacy mode.
Configuring BitLocker on a Mac
BitLocker encryption normally requires a computer with a Trusted Platform Module (TPM). As Macs don’t have a TPM, the other requirement is to configure Windows to allow BitLocker without one:
On recent Macs, the combination of Boot Camp Assistant and allowing BitLocker without a TPM is all that is required to have both FileVault encrypted macOS/OS X and BitLocker encrypted Windows.