Hyper-V Program Manager
Up until recently, I thought it was impossible to use BitLocker drive encryption under Virtual PC / Virtual Server (because the virtual machines do not have a TPM for BitLocker to use). However, thanks to Pascal Sauliere, I now know how to do this. It is a bit complicated - so let’s get started:
And there you have it - BitLocker is now enabled on your virtual machine. If you have the virtual floppy disk attached - the virtual machine will boot. If you do not have the virtual floppy disk attached - you will need to provide the security code generated by BitLocker in order to access Windows.
Great. I guess it's working the same way in Hyper-V, right?
Is there happened some changes to EULA, which allow this configuration?
Alf - Yes, this would work on Hyper-V too.
Joe - Yes, the EULA has been updated to allow this configuration: http://download.microsoft.com/documents/useterms/Windows%20Vista_Ultimate%20and%20Ultimate%20SP1,%20Supplemental_English_d512375b-79d7-41e5-852d-45f69f7378dd.pdf
That's a great tip-Do you know wether a virtual TPM is in the works?
Not sure why you would want that.
A TPM is supposed to be a hardware device suitable for storing your encryption keys.
In essence, using a USB drive (and especially in this case with a simulated floppy) is already a virtual TPM.
To do that in software would negate the whole principle behind Bitlocker (imho).
If you configure BitLocker to require a password to boot, this should make it difficult to compromise the VM if the host machine is physically stolen, provided the host was logged out or locked or (preferably) switched off.
Similarly it should be difficult to compromise the VM if you keep the virtual floppy disk image on removable media, unless of course said removable media was stolen along with the machine!
If the VM can boot without a password or physical media, e.g., if you stored the encryption information on a virtual TPM or kept the virtual floppy image on the physical HDD, BitLocker will provide only weak protection. Once the VM is booted, the host is always going to be able to take control of the guest, if necessary by directly modifying the guest's memory contents.
Question:- wouldn't it usually be preferable to use BitLocker on the host instead of the guest?
If I've understood matters correctly, the TPM also ensures that the boot sequence has not been interfered with; that is, if someone has inserted malicious code into the boot loader the TPM is supposed to refuse to disgorge the encryption keys. That's something a virtual TPM could do that a virtual floppy can't.
However, in a VM scenario it doesn't really help all that much as the attacker can insert the malicious code after the VM has booted.
Technically there is nothing to it. BL could always be enabled in a VM and basically it amazes me a bit as if something really new has been found.
From a BL product group prespective, it is still not supported!
It worked on a fresh install of Vista Ent., but not on my company's Vista Ent. image. I get stuck when I run the cscript command as admin. Look are the error I get:
Thank you for the help.
Here's a screenshot of my group policy settings specific to bitlocker:
I'm thinking my error is a result of some configuration settings. Please help...thanks!
Just wanted to post the solution I found to my problem. check your group policy settings under group policy (start>run, type "gpedit.msc", hit enter, computer configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption.
With the exception of "Control Panel Setup: Enable advanced startup options," change all the other settings to "Not Configured." After this, reboot (not sure why.....but it would only work after a reboot for me) and then run the cscript command again.
BOOM!!! It works =)