BitLocker in a vm machine without TPM or USB howto tutorial?

11 03 2008

Before I read the Step by Step Guide document and quote below I tried getting the BitLocker drive encryption running in a virtual machine.

Windows BitLocker Drive Encryption Step-by-Step Guide

For a non-TPM scenario, you use a startup key to authenticate yourself. The startup key is located on a USB flash drive inserted into the computer before the computer is turned on. In such a scenario, your computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). Your BIOS can be checked by the hardware test near the end of the BitLocker setup wizard.

Using USB removable storage and VMWare virtual machine is just not going to work. The only way to get BitLocker working in a virtual machine is to change the group policy setting and allow BitLocker to work without a TPM chip and use a floppy disk as storage for the startup key. Floppy disk is available in a virtual machine during the boot process of Vista. I was successfully being able to run the BitLocker preparation tool but after the final check of the C volume encryption the system complained about the removable storage was not available during the boot process of Windows Vista.

BitLocker Drive Encryption from the control panel and steps which I executed before reading the Step by Step Guide.

clip_image001

Click Turn on BitLocker

clip_image002

Now I was required to put the Startup key on a USB device.

clip_image003

My USB flash disk was available in the virtual machine.

clip_image004

I clicked continue and restart now.

clip_image005

After logon the error message.

clip_image006

BitLocker could not be enabled. The system firmware failed to enable clearing of system memory on reboot. No encryption applied, any changed made to C: during BitLocker setup will be removed.

How to get BitLocker working in a virtual machine?

  • Install Windows Vista SP1(Enterprise or Ultimate editions) in a virtual machine
  • Make sure you partitioned or format the volumes in the right way. Use the SHIFT+F10 to perform these steps in Vista Setup.

create partition primary size=1500

assign letter=S

create partition primary

assign letter=c

If you don’t partition and format the hard disk this way use the BitLocker Drive Preparation Tool

  • Change the GPO setting. Gpedit.msc and locate the “Control Panel Setup:Enable advanced startup options” setting  in Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption and configure “Control Panel Setup: Enable advanced startup options”; check Allow Bitlocker without compatible TPM chip. Reboot

clip_image007

  • Make sure Floppy drive has been configured for the virtual machine and create new bitlocker.flp file. Format the disk.

clip_image008

  • Open a privileged cmd prompt and run cscript c:\Windows\System32\manage-bde.wsf -on C: -rp -sk A:

clip_image009

  • Reboot and make sure floppy drive is last option in the bios boot oder.

clip_image010

  • Encryption in Progress. Keep in mind that BitLocker will encrypt the complete partition and in my case a SCSI harddisk of 64GB will be expanded. After the process has been finished I will end with 64GB virtual disk; same deal with physical hard disk only 6GB will be left during the encryption process. Anyway good lesson learned for my next virtual machine. Using these steps now I am able to test all different features and options available by BitLocker. If you buy new hardware today than the TPM complaint chip will be on your motherboard so setting up a virtual lab is good preparation for the real physical setup.

Comments : No Comments »
Categories : Windows Vista

Windows Vista SP1 is out

1 03 2008

I have been waiting for a while to get the Windows Vista SP1 RTM version of ISO. Last night I download the 3GB file and 30 minutes ago the latest version of Windows Vista SP1 has been installed into a vm image of VMWare Workstation. Lately I am preparing my self for cross virtualization products lab environments and from now I am creating a Acronis True Image tib archive before I start testing with my vmware guest.

As said before I own the MSDN subscriber license keys and downloads and now the latest and greatest version of Vista is running and ready for testing.

Windows-Vista-SP1

This time the installation was from fresh integrated Vista SP1 iso and it’s time to reinstall all my physical machines. I tried to get the SP1 update installed, but never succeed and my vista install on my notebook is really showing weird symptoms.

· Improves BitLocker Drive Encryption by offering an additional multi-factor authentication method that combines a key protected by the TPM (Trusted Platform Module) with a Startup Key stored on a USB storage device and a user-generated Personal Identification Number (PIN).

· Enhances the BitLocker encryption support to volumes other than bootable volumes in Windows Vista (for Enterprise and Ultimate SKUs).

· Adds support for SSTP (Secure Sockets Tunnel Protocol), a remote access VPN tunneling protocol that will be part of Microsoft’s RRAS (Routing and Remote Access Service) platform. SSTP helps provide full-network VPN remote access connections over SSL, removing some of the VPN connectivity challenges that other VPN tunnels face traversing NAT, web proxies, and firewalls.

· SP1 reduces the number of UAC (User Account Control) prompts from 4 to 1 when creating or renaming a folder at a protected location.

I am ready to start using the Bitlocker volume encryption now; as quoted I see new improvements and time to get rid of the TrueCrypt files and have the encryption built-in. New features like SSTP has been added and more cool things to check. For complete list of changes check out this document or http://msdn2.microsoft.com/en-us/windowsvista/bb898842.aspx.

Comments : No Comments »
Categories : Windows Vista

Microsoft Windows Vista SP1 KB936330 install failed

29 11 2007

Update: 2008/03/20 I see more and more people coming to my blog when searching for this KB article. The post below I published when I tried to install the SP1 during the test phases before it was available to public; unfortunately I was not able to get the SP1 installed; most probably of my installed software. Go directly to this website if you have any problems from now. 

Update:2008/04/08 Thanks to www.ghacks.net and their post here  you can download this cmd script which removes couple of registery entires Windows Vista SP1 checks. Download the script and run it. Reboot and go back to Windows Update Website.

Go to http://connect.microsoft.com website and download the service pack. You should participate the “Windows Beta Programs”!

Download the SP1 version. I downloaded the x86 and it took me 20minutes with 2MB SDSL dsl line. Start the Windows6.0-KB936330-X86_wave0_SPInstaller.exe and allow the exe to run if UAC is enabled.

See my screenshots which I took during the installation. Maybe it makes sense to double check Google for VistaSP1 issues. I read couple of posts people have issues when Bitlocker was enabled and Vista was upgraded to SP1; after the uninstall the encrypted files were not accessible anymore.

Screen clipping taken: 11/29/2007, 12:03 PM

Read the rest of this entry »

Comments : 3 Comments »
Categories : Windows Vista

Next Entries »