Networknet.nl

Before I read the Step by Step Guide document and quote below I tried getting the BitLocker drive encryption running in a virtual machine.

Windows BitLocker Drive Encryption Step-by-Step Guide

For a non-TPM scenario, you use a startup key to authenticate yourself. The startup key is located on a USB flash drive inserted into the computer before the computer is turned on. In such a scenario, your computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). Your BIOS can be checked by the hardware test near the end of the BitLocker setup wizard.

Using USB removable storage and VMWare virtual machine is just not going to work. The only way to get BitLocker working in a virtual machine is to change the group policy setting and allow BitLocker to work without a TPM chip and use a floppy disk as storage for the startup key. Floppy disk is available in a virtual machine during the boot process of Vista. I was successfully being able to run the BitLocker preparation tool but after the final check of the C volume encryption the system complained about the removable storage was not available during the boot process of Windows Vista.

BitLocker Drive Encryption from the control panel and steps which I executed before reading the Step by Step Guide.

Click Turn on BitLocker

Now I was required to put the Startup key on a USB device.

My USB flash disk was available in the virtual machine.

I clicked continue and restart now.

After logon the error message.

BitLocker could not be enabled. The system firmware failed to enable clearing of system memory on reboot. No encryption applied, any changed made to C: during BitLocker setup will be removed.

How to get BitLocker working in a virtual machine?

• Install Windows Vista SP1(Enterprise or Ultimate editions) in a virtual machine
• Make sure you partitioned or format the volumes in the right way. Use the SHIFT+F10 to perform these steps in Vista Setup.

create partition primary size=1500

assign letter=S

create partition primary

assign letter=c

If you don’t partition and format the hard disk this way use the BitLocker Drive Preparation Tool

• Change the GPO setting. Gpedit.msc and locate the “Control Panel Setup:Enable advanced startup options” setting  in Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption and configure “Control Panel Setup: Enable advanced startup options”; check Allow Bitlocker without compatible TPM chip. Reboot

• Make sure Floppy drive has been configured for the virtual machine and create new bitlocker.flp file. Format the disk.

• Open a privileged cmd prompt and run cscript c:\Windows\System32\manage-bde.wsf -on C: -rp -sk A:

• Reboot and make sure floppy drive is last option in the bios boot oder.

• Encryption in Progress. Keep in mind that BitLocker will encrypt the complete partition and in my case a SCSI harddisk of 64GB will be expanded. After the process has been finished I will end with 64GB virtual disk; same deal with physical hard disk only 6GB will be left during the encryption process. Anyway good lesson learned for my next virtual machine. Using these steps now I am able to test all different features and options available by BitLocker. If you buy new hardware today than the TPM complaint chip will be on your motherboard so setting up a virtual lab is good preparation for the real physical setup.