(Click to skip Windows history rants to actual guide)

In my book, the last decent Windows system ever was 7. From Windows 10 onwards, it’s sad and disgusting finalization of what certain security researcher aptly called “zombification of general-purpose OS” – you as the user/admin/owner have no control whatsoever over that darn thing and are forced to accept with screeching teeth removal of features you want, or on the contrary forced add of features you don’t want, forced to accept new EULA under the threat of your OS going kaput, etc.

Essentially, being a hostage of Microsoft thugs, as this comic nicely puts it:

Win 11 goes even further by finally implementing bigger part of what Microsoft originally tried back in early 2000’s with the then-Windows Longhorn, a prison-like evolutionary predecessor of Vista where you would be mostly only allowed to run Corporate-approved software, prohibited from even opening corporate-designated files or programs, and essentially being locked-out from control by “Trusted Computing” NGSCB concept, which back then caused appropriate outrage between IT professionals:

Since then, core of NGSCB was implemented as Intel ME and AMD PSP, and the TPM chip itself – still optional in Win10 – became mandatory in Win11. It only took Microsoft 16 years to crush all resistance and force their prison of a system for corporate DRM’s sake on helpless users.

For years, I’ve resist ed Win 10 long after my current Windows EOS – it’s my tradition, I converted from Windows 98 to XP around 2005, and I converted from XP to Win7 when 7 was nearing EOS, hence around 2020. I said “never” to Win 10 because of what zombie prison of an OS it is, yet it is still far lesser evil than Win 11. So when compatibility issues finally forced their hand on me to install Win 10, I knew for a fact that it will not be an OS I would be running as a daily, not even close. Just a limited-use, time-constrained “forward compatibility” option.

Installing triple-boot

Which put me to a very atypical task, judging by StackOverflow and Superuser questions: install not dual-boot, but triple-boot OS:

• Debian Linux as the secure, work and development OS
• Windows 7 as the kinda-trustworthy fun OS
• Windows 10 as the untrustworthy “forward-compatibility” zombie-OS
• (Ideally, I would add Windows XP x64 for “backward-compatibility” one day, if they can really run on GPT and boot from EFI as some say. One day.)

This required a fresh approach. So instead of migrating my old filesystem once more, I started with a fresh drive.

Some said that Windows 10 installer doesn’t tolerate any other OS and requires a flush of the FS, so I bought an electronic license and started with that one. Turns out it’s not true, at least Win 10 Pro can work with partitions no issue and tolerates other partitions.

However, first time, Win 10 installed on MBR FS. So scratch that.

Real step 1: boot into live linux and change the HDD FS to GPT

Simple as that.

Step 2: let Windows 10 installer create the EFI and MSR partition. Oh, and bugfix MS Media Creation tool

First step to install Win10 with electronic license is to download the image and flash it onto an USB drive. Few years back, when MS was still technology company and not zombie service provider, there were ISO images of all major MS systems available on their site to flash as you please. Not anymore – now even the old links to ISO redirect to a single “choice” page which only offers thin-client installer of “Windows Media Creation Tool”. Caveat: it crashes on normal Windows 7.

The reason is typical Microsoft leniency: vanilla Windows 7 had (more) secure protocols like TLS 1.2 disabled by default, yet off course, the MSMCT depends on TLS 1.2. There is a patch from MS to fix that, but it doesn’t work. So you have to do some registry editing yourself, because the same fix fortunately describes how to do it manually. TL;DR:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp – add DWORD32 DefaultSecureProtocols = 820
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp – add DWORD32 DefaultSecureProtocols = 820
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings – add DWORD32 SecureProtocols = A80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings – add DWORD32 SecureProtocols = A80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client – add DWORD32 DisabledByDefault = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client – add DWORD32 DisabledByDefault = 0

Then you can finally run the tool, let it download the Win 10 iso image and flash it to the USB stick. Run that as UEFI entry from the boot menu. After you have the Win10 installer create a first system-sized partition, it will ask you to let it create the EFI and MSR partitions, which is exactly what you want it to do. Afterwards, proceed with normal install to the system-size partition.

Hint: if you define the partition size in MB, like 100*1024 to get 100 GiB partition, Windows Explorer will show it smaller. The trick is to add 8MiB per every 10 GiB for FS overhead. Hence, to achieve nice even 100 GiB partition, you need to specify 102480 MiB in the installer.

Some would tell you to then delete the Win10-installer-generated EFI and recreate it manually, but actually, don’t do that. Run the Win10 installer fro You’ll understand later. Install EFI-bootloader Win10.

Step 3: run Windows 7 installer from UEFI DVD

This is important. UEFI boot selection menu has two entries for all legacy devices – normal or UEFI. If you select the normal DVD drive entry, Win7 installer will boot in MBR mode and refuse to work with GPT-filesystem drive. Some suggest to copy Win 7 to ISO and load that to and USB stick via now-deprecated and withdrawn MS tool (available still legit on majorgeeks), but it turns out if you rip your original Windows 7 installer DVD into ISO, that ISO will be rejected by that tool. And it’s not really neccessary, as all you need is to select the UEFI entry in the boot selection, and you would need to do that for the USB flash equally.

Install Win 7 normally. After installation (don’t forget to do the 1st boot to finalize setup), verify that you have dual-boot system with entries for Win 10 and Win 7 in Windows Boot Manager.

Step 4: create 2nd EFI boot partition and remove boot flag from 1st

Windows requires and creates 50-100 MB EFI boot partition, while Linux requires at least 300 MB. Other guides want you to mess with the Windows installer-created EFI partition, but that is both silly work and actually strongly detrimental to the triple-boot effort.

Instead, boot into live linux and install gparted and dosfstools. Then, opening Gparted, create a new, 500 MB partition formatted as FAT32, add the boot flag to it, and remove the boot flag from the old 100 MB EFI boot partition.

Subsequently, do not use DD or DDRESCUE utilities to copy the old Windows bootloader from the old 100 MB EFI to the new 500 MB EFI – it breaks the new partition. Instead, just mount both of these partitions and copy the files from the old to the new with plain old cp with Archive option, which is recursive and retains all properties:

mkdir ~/efiold
mkdir ~/efinew
mount /dev/sda1 ~/efiold
mount /dev/sda6 ~/efinew
cp -a ~/efiold ~/efinew
ls -lR ~/efinew

Verify that bootloader was copied to the new efi, then unmount both and shutdown the live cd.

Hence on, we will be using the new, 500 MB EFI partition, while the old 100 MB no-longer-efi-boot partition will become a working backup of Windows Boot Manager safely stashed aside.

Note: you will probably have to do the exact same thing again later, since Linux installer may delete MS entries from the EFI. That’s why it’s nice to have such EFI backup readily on a different partition instead of DDrescue file.

Step 5: boot the Linux installer from UEFI USB and install

First, two caveats:

1. use Balena Etcher instead of old UnetBotIn, otherwise new Linux distros may break and fail the install
2. remember to boot the Linux installer from UEFI USB entry, otherwise it will not install to GPT

The important thing is to use manual partitioning, create new install and swap partition, and then editing the 500 MB EFI partition and setting it’s path to /boot/efi

After install and reboot, Linux should come up, but it may have very well removed the Windows EFI entries. But since you’ve created new EFI and kept the old Windows EFI intact as a backup, not marked EFI… You just copy the Microsoft and Boot folders from the old EFI into the new EFI, re-run update-grub with os-prober enabled, and Linux detects the Windows Boot Manager and adds it to the grub boot list.

The only caveat is that like this, the Grub boot list has just 2 entries: 1 for Linux and 1 for Windows Boot Manager. You have to first click WBM to enter a 2nd, uglier menu to select between Win 10 and Win 7.

Step 6: create separate EFI boot partitions for each of the Windows bootloaders

The problem is that both Windows instances share common EFI, which then becomes the Windows Boot Manager. To allow Grub to list separate instances for Win 7 and Win 10 alongside Linux on the same screen, we need to create separate EFI bootloaders for Win 7 and Win 10.

Thus, create one (or rather two, if you want to keep the original WBM EFI partition as a failsafe backup) new EFI partitions, and foreach Windows instance, follow the guidelines from Kyhi at Tenforums:

bcdboot X:\windows /s E:

where E is EFi volume and X: is Windows OS system partition

With a twist: each time, the other Windows installation must be hidden from the bcdboot of the active installation, otherwise a new Windows Boot Manager bootloader would be created instead.

Off course, there can be only one primary EFI boot partition, and that is the one which Linux knows as /boot/efi. So we’d probably need to copy the separate Windows bootloaders into the primary EFI partition, renaming them to avoid naming conflict, and then re-run update-grub and hope for the best.