If you’re dualbooting Windows Vista Enterprise or Ultimate alongside a Linux distro and have installed the Linux bootloader into the MBR then you’re guaranteed to run into problems when installing Vista Service Pack 1 Microsoft has admitted.
The service pack has a couple of prerequisite updates and one of them KB935509 contains an update to the Windows Vista bootloader. However this bootloader is often replaced by open source bootloaders like Grub when installing Linux onto a system.
Microsoft has excused itself by saying Vista SP1 contains an update to the BitLocker feature and replacing the bootloader is a necessary prerequisite just in case the system being serviced contains a drive encrypted with BitLocker or worse an encrypted boot partition.
However the update performs a â€œchain of trustâ€ integrity check on the system’s boot sequence from the onboard TPM chip through the MBR and into the operating system itself. In a dualbooting scenario where the Vista bootloader has been replaced (eg: with GRUB or LILO) the integrity check fails and the update aborts halting the service pack installation.
Microsoft Technology Advisor Michael Kleef explained to APC that â€œâ€¦BitLocker isn’t just about encryption and system validation but rather data integrity. When you enter your PIN BitLocker checks it every step of the way from the TPM chip through the bootloader and if it finds something that doesn’t match what it’s expecting access is denied. Installing LILO or GRUB effectively breaks the chain of trust as these bootloaders take over the MBR so on an encrypted boot partition this means that the system won’t boot.
â€œHowever it’s actually a very good thing that the update and the servicing fail in this scenario because you can just imagine the implications if the update automatically reinstalled the Vista MBR to restore boot integrity â€“ we’d be flooded with complaints.â€
Microsoft hasn’t tested dualbooting scenarios – certainly not to the extent that they’re prepared to comment on them at least â€“ but there are a number of reports of successful workarounds in this situation.
If the Linux and Vista partitions are installed on the same hard drive you have to restore the Vista MBR either using the Vista recovery DVD or using the MBR reinstall feature contained within EasyBCD before installing SP1.
If the operating systems are on different hard drives simply change the drive boot order in the BIOS to point to the disk containing Vista first thus bypassing the Linux bootloader on the primary disk.
Once SP1 has been installed you can go back and either reinstall the non-Vista bootloader or change the hard drive boot order back to the way it was. But in either case if Vista’s bootloader isn’t installed to the MBR BitLocker won’t function and the MBR will need to be restored before it can be used.
The failure of KB935509 does not depend on whether BitLocker is active but rather the host operating system’s capacity for using it. Therefore although the bootloader is unified across all versions of Vista only Vista Enterprise and Ultimate are affected â€“ other versions do not feature BitLocker and so do not require KB935509 as an SP1 prerequisite. APC tested this with different versions of Vista and have verified that they are unaffected.