Remove From My Forums

TP4 Nano - Getting BitLocker key required on boot

Question
0

Sign in to vote

I'm working on a Surface Pro 3 with Windows 10 1511.

I've built Hyper-V VHDX disks using the steps here:
https://technet.microsoft.com/en-us/library/mt126167.aspx

I create a new Gen 2 VM using the newly created VHDX.

On booting the new VM, I'm asked, "Plug in the USB drive that has the BitLocker key" (I have none plugged in during this.)

I've been able to have the BitLocker management GUI open during the creation of the Nano VHDX and watch the VHDX get mounted. It does show as BitLockered and I'm able to quickly save the key file.

I can then boot the Nano VM, choosing Recovery, and enter the BitLocker recovery key, then getting a successful boot.

My Surface Pro 3 is using BitLocker with status below:

BitLocker Drive Encryption:
Volume C: []
[OS Volume]

Size: 237.92 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
Numerical Password
TPM

Exact command I'm running to create the Nano VHDX:

New-NanoServerImage -MediaPath $MediaPath `
-BasePath $BasePath `
-TargetPath "$VMPath\$ComputerName.vhdx" `
-ComputerName $ComputerName `
-GuestDrivers `
-Defender `
-Packages 'Microsoft-NanoServer-IIS-Package','Microsoft-NanoServer-DSC-Package' `
-MaxSize 40GB `
-EnableRemoteManagementPort `
-AdministratorPassword $AdminPassword `
-MergePath 'C:\Work\Nano\Tools'

-Joe

Tuesday, December 29, 2015 6:20 AM

Answers

0

Sign in to vote
Thanks, Tim.

Yes, I'm creating the Nano server VHDX on a system that is Bitlockered. And my VHDX ends up being Bitlockered "internally".

It seems the Surface Pro 3 (don't believe I've changed Bitlocker settings, and GPEDIT.msc shows all settings as Not Configured) is set to automatically BitLocker fixed data disks.

So I've found a work around.

After creating the VHDX, I can right-click and mount the VHDX. Then in Control Panel, Bitlocker Management, I can turn off BitLocker on the mounted drive. On the next boot of the VM using this VHDX, I'm not asked for a BitLocker key, and it boots straight to the authentication screen.

I think I'll call this something to be expected on systems forced to use BitLocker, like a Surface Pro 3 (and other Connected Standby devices).
-Joe
- Marked as answer by JoeGasper Saturday, January 2, 2016 3:25 AM
Thursday, December 31, 2015 3:46 AM

All replies

0

Sign in to vote

Hi,

According to your description, my understanding is that it prompts "Plug in the USB drive that has the BitLocker key" when booting the VM(Hyper-V) on Surface Pro 3(Windows 10 1511).

Try to enable BitLocker without TPM:
Run gpedit.msc, click Computer Configuration – Administrative Templates – Windows Components – BitLocker Drive Encryption – Operating System Drives – Enable require additional authentication at startup – configure it as “Allow BitLocker without a compatible TPM”.

Above is suggestion for you. Your question is mainly about Hyper-V, if the problem persists, I would recommend you to post on Hyper-V forum(https://social.technet.microsoft.com/Forums/en-us/home?forum=winserverhyperv&filter=alltypes&sort=lastpostdesc) for official support. Besides, as Surface product has its own hardware configuration, and professional Surface Supporter(https://www.microsoft.com/surface/en-us/support), you may also contact them to further confirm with this problem.

Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Wednesday, December 30, 2015 7:30 AM
0

Sign in to vote

Thanks, Eve.

I feel my issue is really related to the process of creating the Nano VHDX. I'm building the VM on a Bitlockered system with a supported TPM chip (it's a Surface Pro 3). During the VHDX creation, it's getting encrypted. I'm looking to prevent that from happening.

Thanks again.
-Joe

Wednesday, December 30, 2015 12:44 PM
0

Sign in to vote

"During the VHDX creation, it's getting encrypted. I'm looking to prevent that from happening."

Maybe I am misunderstanding your configuration. But it sounds like you are creating a VM on a system with a BitLocker protected drive and you want the files associated with a VM to be unencrypted. So you are looking for some way to prevent encryption of just the VM files when the system is set up to encrypt everything that is written to the drive. Is that what you are asking for?
. : | : . : | : . tim

Wednesday, December 30, 2015 3:46 PM
0

Sign in to vote
Thanks, Tim.

Yes, I'm creating the Nano server VHDX on a system that is Bitlockered. And my VHDX ends up being Bitlockered "internally".

It seems the Surface Pro 3 (don't believe I've changed Bitlocker settings, and GPEDIT.msc shows all settings as Not Configured) is set to automatically BitLocker fixed data disks.

So I've found a work around.

After creating the VHDX, I can right-click and mount the VHDX. Then in Control Panel, Bitlocker Management, I can turn off BitLocker on the mounted drive. On the next boot of the VM using this VHDX, I'm not asked for a BitLocker key, and it boots straight to the authentication screen.

I think I'll call this something to be expected on systems forced to use BitLocker, like a Surface Pro 3 (and other Connected Standby devices).
-Joe
- Marked as answer by JoeGasper Saturday, January 2, 2016 3:25 AM
Thursday, December 31, 2015 3:46 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

TP4 Nano - Getting BitLocker key required on boot

Question

Answers

All replies