I was giving a presentation the other day about SCVMM and our experiences. In the conversation a question was brought up “can you use Bitlocker in a Virtual Environment”. Ben Armstrong wrote a nice little article on just how you do this.
Up until recently, I thought it was impossible to use BitLocker drive encryption under Virtual PC / Virtual Server (because the virtual machines do not have a TPM for BitLocker to use). However, thanks to Pascal Sauliere, I now know how to do this. It is a bit complicated – so let’s get started:
- Create a new virtual machine.
Configure the virtual machine with the appropriate amount of memory and disk space for the Vista configuration that you want to use.
Note – enabling BitLocker will cause a dynamically expanding virtual hard disk to grow to its maximum size – so make sure you choose a small enough virtual hard disk size / have enough space on your physical hard disk.
- Create a new virtual floppy disk.
From the Virtual PC Console select File and Virtual Disk Wizard. Then select Create a new virtual disk, A virtual floppy disk and specify a file name and location for the new virtual floppy disk (leave it to be a 1.44 megabyte (high density) floppy).
- Configure the BIOS boot options for the virtual machine.
In order for BitLocker to work, the virtual machine needs to be configured to not try to boot off of a floppy disk. You will need to start the new virtual machine and immediately press the ‘DEL’ key. Once you see the BIOS configuration page, change to the Boot page and press enter on Boot Device Priority. Select the Floppy Drive option and change it to Disabled. Finally – press F10 to save changes and exit the BIOS.
- Install Windows Vista.
Next you will need to install Windows Vista Enterprise or Ultimate Edition (only these editions support BitLocker). But there is one trick to be aware of: The partition that is used to actually boot the system cannot be encrypted. So when you get to the Where do you want to install Windows? press Shift + F10. This will open a command prompt where you will need to type in:
select disk 0
create partition primary size=1500
create partition primary
format c: /y /q /fs:NTFS
format s: /y /q /fs:NTFS
Now click on Refresh then complete the installation of Windows Vista on the second partition (and install Virtual Machine Additions when you are done).
- Attach the virtual floppy disk to the virtual machine.
Open the Floppy menu and use Capture Floppy Disk Image to attach the virtual floppy disk created in step 2.
- Setup BitLocker (configured to use the floppy disk for the security key).
Run gpedit.msc and go to Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components and then BitLocker Drive Encryption. Double click on Control Panel Setup: Enable advanced startup options, select Enabled and make sure Allow BitLocker without a compatible TPM is checked.
Once you have done this, open an administrative command prompt and run:
cscript c:\Windows\System32\manage-bde.wsf -on C: -rp -sk A:
Then reboot the virtual machine
Note – you should take a copy of your rescue key – otherwise you will be in a lot of trouble if you lose the virtual floppy disk.
- Confirm that BitLocker is enabled.
After booting Windows, open the Control Panel, click on Security and then on BitLocker Drive Encryption. This should tell you that C: is either encrypted, or currently being encrypted.
And there you have it – BitLocker is now enabled on your virtual machine. If you have the virtual floppy disk attached – the virtual machine will boot. If you do not have the virtual floppy disk attached – you will need to provide the security code generated by BitLocker in order to access Windows.
This will work on Hyper-V also and before the old bitlocker peps kick in to gear, the EULA has been updated to allow this configuration: http://download.microsoft.com/documents/useterms/Windows%20Vista_Ultimate%20and%20Ultimate%20SP1,%20Supplemental_English_d512375b-79d7-41e5-852d-45f69f7378dd.pdf