locked
TP4 Nano - Getting BitLocker key required on boot RRS feed

  • Question

  • I'm working on a Surface Pro 3 with Windows 10 1511.

    I've built Hyper-V VHDX disks using the steps here:
    https://technet.microsoft.com/en-us/library/mt126167.aspx

    I create a new Gen 2 VM using the newly created VHDX.

    On booting the new VM, I'm asked, "Plug in the USB drive that has the BitLocker key" (I have none plugged in during this.)

    I've been able to have the BitLocker management GUI open during the creation of the Nano VHDX and watch the VHDX get mounted. It does show as BitLockered and I'm able to quickly save the key file.

    I can then boot the Nano VM, choosing Recovery, and enter the BitLocker recovery key, then getting a successful boot.

    My Surface Pro 3 is using BitLocker with status below:

    BitLocker Drive Encryption:
    Volume C: []
    [OS Volume]

        Size:                 237.92 GB
        BitLocker Version:    2.0
        Conversion Status:    Used Space Only Encrypted
        Percentage Encrypted: 100.0%
        Encryption Method:    AES 128
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: Unknown
        Key Protectors:
            Numerical Password
            TPM


    Exact command I'm running to create the Nano VHDX:

    New-NanoServerImage -MediaPath $MediaPath `
    -BasePath $BasePath `
    -TargetPath "$VMPath\$ComputerName.vhdx" `
    -ComputerName $ComputerName `
    -GuestDrivers `
    -Defender `
    -Packages 'Microsoft-NanoServer-IIS-Package','Microsoft-NanoServer-DSC-Package' `
    -MaxSize 40GB `
    -EnableRemoteManagementPort `
    -AdministratorPassword $AdminPassword `
    -MergePath 'C:\Work\Nano\Tools'


    -Joe

    Tuesday, December 29, 2015 6:20 AM

Answers

  • Thanks, Tim.

    Yes, I'm creating the Nano server VHDX on a system that is Bitlockered.  And my VHDX ends up being Bitlockered "internally".

    It seems the Surface Pro 3 (don't believe I've changed Bitlocker settings, and GPEDIT.msc shows all settings as Not Configured) is set to automatically BitLocker fixed data disks.

    So I've found a work around.

    After creating the VHDX, I can right-click and mount the VHDX. Then in Control Panel, Bitlocker Management, I can turn off BitLocker on the mounted drive. On the next boot of the VM using this VHDX, I'm not asked for a BitLocker key, and it boots straight to the authentication screen.

    I think I'll call this something to be expected on systems forced to use BitLocker, like a Surface Pro 3 (and other Connected Standby devices).


    -Joe

    • Marked as answer by JoeGasper Saturday, January 2, 2016 3:25 AM
    Thursday, December 31, 2015 3:46 AM

All replies

  • Hi,

    According to your description, my understanding is that it prompts "Plug in the USB drive that has the BitLocker key" when booting the VM(Hyper-V) on Surface Pro 3(Windows 10 1511).

    Try to enable BitLocker without TPM:
    Run gpedit.msc, click Computer Configuration – Administrative Templates – Windows Components – BitLocker Drive Encryption – Operating System Drives – Enable require additional authentication at startup – configure it as “Allow BitLocker without a compatible TPM”.

    Above is suggestion for you. Your question is mainly about Hyper-V, if the problem persists, I would recommend you to post on Hyper-V forum(https://social.technet.microsoft.com/Forums/en-us/home?forum=winserverhyperv&filter=alltypes&sort=lastpostdesc) for official support. Besides, as Surface product has its own hardware configuration, and professional Surface Supporter(https://www.microsoft.com/surface/en-us/support), you may also contact them to further confirm with this problem.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, December 30, 2015 7:30 AM
  • Thanks, Eve.

    I feel my issue is really related to the process of creating the Nano VHDX. I'm building the VM on a Bitlockered system with a supported TPM chip (it's a Surface Pro 3). During the VHDX creation, it's getting encrypted. I'm looking to prevent that from happening.

    Thanks again.


    -Joe

    Wednesday, December 30, 2015 12:44 PM
  • "During the VHDX creation, it's getting encrypted. I'm looking to prevent that from happening."

    Maybe I am misunderstanding your configuration.  But it sounds like you are creating a VM on a system with a BitLocker protected drive and you want the files associated with a VM to be unencrypted.  So you are looking for some way to prevent encryption of just the VM files when the system is set up to encrypt everything that is written to the drive.  Is that what you are asking for?


    . : | : . : | : . tim

    Wednesday, December 30, 2015 3:46 PM
  • Thanks, Tim.

    Yes, I'm creating the Nano server VHDX on a system that is Bitlockered.  And my VHDX ends up being Bitlockered "internally".

    It seems the Surface Pro 3 (don't believe I've changed Bitlocker settings, and GPEDIT.msc shows all settings as Not Configured) is set to automatically BitLocker fixed data disks.

    So I've found a work around.

    After creating the VHDX, I can right-click and mount the VHDX. Then in Control Panel, Bitlocker Management, I can turn off BitLocker on the mounted drive. On the next boot of the VM using this VHDX, I'm not asked for a BitLocker key, and it boots straight to the authentication screen.

    I think I'll call this something to be expected on systems forced to use BitLocker, like a Surface Pro 3 (and other Connected Standby devices).


    -Joe

    • Marked as answer by JoeGasper Saturday, January 2, 2016 3:25 AM
    Thursday, December 31, 2015 3:46 AM