Encrypting macOS and Windows on the same Mac

Updated for the new MacBook Pro 16

Update 27 January 2019: Confirmed to work on the MacBook Pro 16.

Starting with a fresh (or restored) macOS 10.15.2 installation — with FileVault enabled — you can use Boot Camp Assistant to partition your hard drive and install Windows 10 Pro and enable BitLocker per the steps outlined in the section, “Encryption (FileValue and BitLocker),” below.

Update 03 November 2019: macOS 10.15.1 works the same as 10.14.5 (below).

Update 06 July 2019: macOS 10.14.5 works the same as 10.13.5 (below).

Update 05 July 2018: With macOS 10.13.5, I can confirm that you can start with an existing FileVault enabled macOS (APFS) installation and use Boot Camp to partition, install Windows 10 (Pro) and enable BitLocker without affecting the encrypted macOS installation.

TL;DR — Set up macOS High Sierra (10.13) with FileVault and Windows (10, Pro) with BitLocker, without manually creating all of the required partitions for both operating systems.

In short, do a clean install of macOS, use Boot Camp to install Windows, boot back into macOS, enable FileVault (optionally, wait for it to finish), boot into Windows and finally enable BitLocker (without a TPM option).

  • Hardware—I used a MacBook Pro 15, Mid 2015.
  • External USB drive—to back up your Mac using Time Machine.
  • Optional—USB 8+GB, to make a bootable macOS High Sierra (10.13) installer so you don’t have to wait for the Recovery System to download and install it.
  • Windows 10, 64-bit ISO — which you can download free from Microsoft: https://www.microsoft.com/en-us/software-download/windows10ISO. This ISO should contain both the Home and Pro versions. Note that only the Pro version will support BitLocker.

Note: The easiest way to do this is to perform a clean install of both operating systems, starting with macOS.

  • Create a backup of your Mac using Time Machine on the external USB drive.
  • Optionally, to make installing macOS faster, you can create a bootable macOS 10.13 USB drive by following this article from Apple: https://support.apple.com/en-us/HT201372.
  • Boot into the Recovery System by restart your Mac and holding down Command+R. If you made a bootable USB drive, plug it in before restart and hold down alt during restart instead.
  • Select the Install macOS High Sierra option from the boot menu if you held down alt.
  • Launch the Disk Utility app in the installer and erase/format the main drive as APFS.
  • Exit the Disk Utility app and install macOS on the newly formatted partition.
  • Set up the Mac as a new computer and create a temp user account to use to install Windows using the Boot Camp Assistant. Optionally, you can restore your Time Machine backup, but it might mess up the Boot Camp Assistant when it tries to partition the drive. It did for me and doing a clean install yielded the best result.
  • Once you’re back in at the desktop, start the Boot Camp Assistant and pick the Windows 10 (64-bit) ISO you’ve downloaded and put onto the external drive or USB. If not, you can download it here: https://www.microsoft.com/en-us/software-download/windows10ISO.
  • Pick the size of your Windows partition using the slider, then click, “Install.”
  • After Boot Camp Assistant finishes, it will restart into the Windows installer.

Note: the Windows setup isn’t optimized for retina displays so everything is really really small…squint!

  • Select your language, time and currency, and keyboard input method and click, “Next.”
Language and keyboard input step
  • In the Activate Windows step, you can choose to skip the product key entry by clicking on the, “I don’t have a product key,” link next to the, “Next,” button. NOTE: You don’t need a product key to use Windows, it will just lock you out of themes, add a watermark at the bottom right corner of the screen and occasionally hassle you to buy a copy.
Choose, “I don’t have a product key,” if you want to install a specific version of Windows
  • Choose ‘Windows 10 Pro,” on the, “Select the operating system you want to install,” step and click, “Next.”
  • Agree to the licensing terms and click, “Next.”
  • Pick the partition that has, “BOOTCAMP,” in its name in the, “Where do you want to install Windows?” step.
  • Wait for the Windows installer to finish and boot into the Windows Welcome Screen.
  • NOTE: I chose not to connect to my wifi or the internet for the next few steps.
  • Complete the steps for creating a Windows user, then log back into Windows with that user.
  • At this point, the Boot Camp services and drivers Windows installer will start. Let it run until until it prompts you to restart the computer. Restart it and log back into Windows to ensure that everything installed correctly.
These two look different because the display drivers weren’t installed yet.
The resolution of Windows will change after the display drivers are installed.
Check the Device Manager to confirm that all drivers were installed correctly and that there are no red exclamations or yellow warning triangles
  • Boot back into macOS by restarting and holding down alt to bring up the startup disk boot menu, then selecting Macintosh.
You can hold `control` while clicking on a drive to make it the default startup disk
  • In macOS, go to the Preferences app > Security & Privacy > FileVault and enable it.
  • Choose an option to store your recovery key.
  • Then start the encryption process, it will take awhile…
It’ll take awhile, but you can still do the remaining steps while it is running, just remember to come back and let it finish once you’re done setting up Windows BitLocker
  • Boot into Windows make sure all of the latest security updates are installed in Windows Update.
  • Install any additional Apple drivers/updates by running the, “Apple Software Update,” app.
You can search for it in the Start menu. When I ran it there were 3 updates — network, sound and display.
  • Restart Windows once the updates are done.
  • Open up the Group Policy editor by searching for it in the Start menu.
Like the Apple Software Update app, you can search for the Group Policy editor in the Start menu.
  • Choose Administrative Templates > Windows Components > BitLocker System Drives > Require additional authentication at startup.
  • Select, “Enabled,” and make sure, “Allow BitLocker without a compatible TPM,” checkbox is checked.
  • Search for, “BitLocker,” from the Start menu and start the Manage BitLocker wizard.
  • Go through the wizard and remember to set a strong password and save/print your recovery key (keep it safe!).
  • I picked the, “Encrypt entire drive,” since my drive is/has been in use by macOS and previous versions of Windows.
  • Check the, “Run BitLocker system check,” to start the process.
  • Restart Windows, booting back into Windows, to confirm that BitLocker is encrypting. You will see a blue screen prompting you for your BitLocker password every time you restart Windows.
This is where you enter your BitLocker password, not your Windows user password.
  • Since there is nothing on the Windows partition, BitLocker should only take about 15–30 minutes to complete.
  • Don’t forget to let the macOS FileVault encryption finish, if you decided to reboot into Windows to set up BitLocker during its encryption process.
  • You can delete the temp user you created in macOS after you’ve restored your user, applications, settings and files from Time Machine.
  • If you created a temp user for Windows before signing into your Microsoft Account, you can delete that one too.
  • Make sure both systems are up-to-date by checking for Software Updates in macOS and Windows Updates in Windows.
  • DON’T install any Windows drivers from the hardware manufacture. Install only drivers that are made for your Mac and your version of Boot Camp. You can periodically run the Apple Software Update app to check for new driver updates or use the Boot Camp Assistant in macOS to download new support software.

Once both operating systems are encrypted, you won’t be able to use the startup disk function in macOS or the, “Restart in OS X…” option in Windows to reboot. You will need to restart and hold down alt and pick which operating system you want to boot into.

To choose which one is the default, at startup, hold control when selecting the operating system to boot.

That’s it, enjoy!

Software developer, car enthusiast, gamer, mentor and lifelong learner. I love a good pair-programming session.