Bitlocker on Hyper-V Virtual Machine

Update 2017.11.29 - Thanks to for the idea, I was able to get FDE working using a pass-through disk, see bottom of post for more info.

Short post to go over something I found while researching Bitlocker Full Disk Encryption on Hyper-V virtual machines.

I was testing Enabling Bitlocker during our Task Sequence, and I didn’t have any physical machines to test on, no problem right?  With Hyper-V, you can now enable virtual TPM on Gen2 VMs, and have all the yummy goodness of UEFI, Secureboot, Bitlocker, Credential Guard all on your VM!  So I started testing, everything worked!  But when I checked the Bitlocker Status (manage-bde –status), it showed I was only encrypting Used Space.  While this would be fine for a Virtual Machine, I was confused because I told it to use Full Disk, NOT used space.  I ran many tests, trying several different things, but in the end, it never came out as I expected, with Full Disk.  Even post OSD, if I decrypted, ensured policy was set for Full Disk, it would only encrypt Used Space.  Finally, I gained access to a physical test machine, ran the exact same Task Sequence, and there it was, Full Disk Encryption. – Testing done on Hosts: Win 10 1607, 1709 & Server 2016.  VM’s running 1703 and 1709. Security settings were set to Enable Secure Boot & Enable TPM, tested Dynamic expanding & fixed disks. (Not Pass-through)

To Summarize.

  • Hyper-V Virtual Machine = Used Space Encryption only with Bitlocker *Unless you can use a pass-though disk.
    • This is by Microsoft Design, Bitlocker is “Hyper-V Aware” and will only run in Used Space only mode, even if your policy is set for Full Disk
    • Remember to eject your ISO you booted from before the Bitlocker steps, or it will error
  • If you need to test your Full Disk Encryption OSD settings, do it on a physical machine. - Below I have two screen captures side by side.  Left side = Physical Machine & right side = VM on that Physical Machine.  Both machines ran same TS telling it to use FDE, but only the Physical machine actually used FDE.

How do you change your TS from doing Used Space to Doing Full Disk?

  • Disable the Pre-Provision Bitlocker Steps
  • Add Registry key to set Full Disk Encryption before “Enable Bitlocker” Step.
  • Set “Enable-Bitlocker” step to Continue on Error
    • This will set several policies settings, like save the key to AD, and which way you want to deploy bitlocker (TPM only, etc)
  • Add Additional Manage-Bde Step: manage-bde -on C: -RecoveryPassword

Here are the details for the steps in my TS, as you can see, I also set it to use XTS AES 256 (except for flash media, which I use older type so it's more backwards compatible with other Windows computers)

 

 

2017.11.29 - Getting FDE to work using Pass-Though

Using an Offline Disk on the Host, and setting that as the drive on the VM, FDE works.

 

Thanks Paul, can now test FDE on VM!