Question Two Windows 11 installs (Work & Gaming): can anti-cheat/DRM from the gaming OS access the work SSD?

ElenaLauder

Distinguished
Sep 27, 2016
7
0
18,510
Hi all,

Setup: ASUS PRIME X870-P WIFI, 2× M.2 NVMe (2 TB each).
I run two separate installs:

Windows 11 Work (office, projects, sensitive data)
Windows 11 Gaming (Steam, titles with anti-cheat/DRM like Vanguard, EAC, Denuvo)

In the BIOS I can’t find any option to disable individual M.2 slots.
My concern: Can anti-cheat/DRM drivers running in the gaming Windows (kernel-level) access the other, visible work SSD—e.g., scan file names or read data?
How safe is it if I “hide” the work SSD in the gaming OS (remove drive letter / mark disk offline)? Do these drivers still see the drive and can they technically bypass that?

I’ve seen M.2 hot-plug / swap modules, but I don’t have room in my case.
Looking for real-world experiences or a clean alternative for strong isolation (nothing too DIY-ish).

Thanks in advance!
 
Yes kernel level drivers of the gaming installation could read the disk of the work installation, even if it's unmounted or marked offline. So whether it's intolerable or not depends on how sensitive the data is. You'd need to encrypt it with bitlocker

Other approaches like virtualization eg. running a virtual machine inside one os to host the other probably won't suit as the gaming install would suffer decreased performance and even if you tried to isolate it by say, installing 'windows on the go' on to a usb/nvme drive the game installation could still read the work disk.

So if you did it the other way around and made your work disk 'windows on the go' and removable well you probably don't want your important work to become portable and loseable.

So looks like encyrpting the work drive with bitlocker is the only way to go. With bitlocker you need to create a recovery key and be aware of a raft of issues.

The downsides are you need a recovery key and have to be mindful to suspend bitlocker if making any hardware changes and then you'd have to store multiple copies of the recovery key in different places. On usb drives and your windows account.

here's where it gets a bit rocky - you may not have a personal (I mean microsoft) windows account for your work installation that's all tied to how your network is administrated or if you are simply self employed and dividing your pc between business and gaming.

If you ever lose the bitlocker recovery key then it's game over for your work data nothing can crack it open again and if the drive fails it's probly professionally expensive to recover.

There could be enough problems to suggest it's not worth it to game on your work pc.

You could get a usb/nvme caddy if you have usb 3.1 or 3.2 ports available - and make your work disk removable without encrypting it - if the game disk is in the pc the work disk could read it but none of those intrusive programs should be active.

But if the data is so sensitive that you don't even want some game drm or anti cheat reading it why wouldn't you be worried if the disk could go walkies in an unencrypted portable format?
 
Last edited:
and it's using up a whole usb drive just for one ultra important 'work data key' since they don't do them in 1gb any more or even 1mb. And this is introducing potentially exploitable weaknesses since the key could also go walkies.
 
It's possible you could work around the virtualization performance drop by adding a second gpu but that's not without headaches either - different brands and models don't sit together well in the same system any more and dual gpu setups like xFire and SLI are a relic of the past.

You'd have a weaker gpu to run the windows desktop of the host machine which frees the entire second more powerful gpu to run the hosted virtual machine for gaming but it can be technically finickity.

Maybe you could do it if your cpu had an iGPU but your work 'thin client' maybe doesn't have it and of course more than 1 gpu active is going to increase the power consumption so you'd need to know there's a decent cooler and power supply installed. Bit of spare memory for the iGPU to utilize also.

At least you couldn't probably do it without shelling out on more hardware and negotiating whatever technical hiccups the 'gpu passthrough' throws at you.

On the other hand if your 'work pc' is a true monster meant for photoshopping and video editing or 3d modelling it might already have enough hardware to even handle a virtual machine with capacity to spare. But that is north of high end sort of territory.