Qubes + Windows: Dual Booting with Secure Boot (with caveats) revisions

Go back to topic: Qubes + Windows: Dual Booting with Secure Boot (with caveats)

  1. v4 anchor; v4 full version
  2. v3 anchor; v3 full version
  3. v2 anchor; v2 full version

Revision #4

Edited on
2026-03-09
Edited by user
tonicnapkin
**IMPORTANT:** This approach is specifically intended for users who require Secure Boot for their other operating systems (e.g., Windows with BitLocker). While this guide focuses on Windows, the method should work for any OS that does not rely on shim/MOK for its own boot process. **IMPORTANT:** This approach is specifically intended for users who require Secure Boot for their other operating systems (e.g., Windows with BitLocker). But note that Qubes OS images (Xen, Linux) are NOT verified. While this guide focuses on Windows, the method should work for any OS that does not rely on shim/MOK for its own boot process.

Revision #3

Edited on
2026-03-08
Edited by user
tonicnapkin
A solid countermeasure is [this setup](https://forum.qubes-os.org/t/install-qubes-os-with-boot-partition-and-a-detached-luks-header-on-usb/26366) is a solid option, which moves unencrypted data to a detached USB drive. You simply remove the drive when using the other OS. A solid countermeasure is [this setup](https://forum.qubes-os.org/t/install-qubes-os-with-boot-partition-and-a-detached-luks-header-on-usb/26366), which moves unencrypted data to a detached USB drive. You simply remove the drive when using the other OS.

Revision #2

Edited on
2026-03-08
Edited by user
tonicnapkin
Essentially there are only two steps: Essentially there are only three steps:
- Disable MOK validation: `mokutil --disable-validation` - Disable MOK validation: `mokutil --disable-validation` - Enroll GRUB EFI binary (first time on boot)
If you are using my refined USB setup—where the Qubes `/boot` directory resides in an encrypted partition—there is further potential for hardening. For instance, one could embed the LUKS header inside the intermediate GRUB binary and sign/enroll it. This might provide enough security to store these components on the internal disk rather than a detached USB, though that requires further testing. If you are using my refined USB setup—where the Qubes `/boot` directory resides in an encrypted partition—there is further potential for hardening. For instance, one could embed the LUKS header inside the intermediate GRUB binary and sign/enroll it. If the GRUB binary is modified, the shim will detect it and ask you to explicitly enroll it. This might provide enough security to store these components on the internal disk rather than a detached USB, though that requires further testing. Note: this does not protect from evil maid.