Scott Hanselman

Windows 7 with BitLocker and Still Booting To VHD

October 31, '09 Comments [11] Posted in
Sponsored By

Lenovo Second Spindle Drive BayAs a remote worker at Microsoft I have to deal with a few little things that the average worker in Redmond doesn't.

For example, none of my machines are wired to "CorpNet." They're all remote so for the last two years I've had to RAS (Remote Access Service) into the corporate network. For a while you could use your password, but then you needed to use your Smart Card (or your immortal soul, as I call it) and a complex pin. So you've got multi-factor authentication, you need your actual network password (and of could your domain\username), your physical smart card and your smart card's pin. That's a lot. Someone evil could have two of those three things and you'd still be OK.

Since two of my three machines are laptops, there's always risk that I could lose it or have it stolen. If I kept secret stuff on my laptop (I don't) that could be a problem. Laptops run Windows 7 now and are required to be BitLocker'ed (FAQ). This means the whole hard drive is encrypted, there's an (optional) PIN to even turn it on, and it can take advantage of newer machines that have a TPM (Trusted Platform Module). Basically a TPM is a hardware cryptoprocessor that can store keys for securing information. BitLocker uses this chip to project the keys and makes sure the BIOs and boot sector haven't been tampered with. Fortunately it's all automatic so I don't have to think about it.

This is what I see when I'm booted off my Bitlocker'ed C: drive. That D: drive is my other spindle.

My drive Bitlockered

I recently Bitlocker'ed both my laptops, but I Boot to VHD for many demos and it's not possible to boot off a VHD that lives on a Bitlocker'ed volume. That's the one bad thing about Bitlocker from my point of view. I'm sure it's a chicken and the egg problem. How do you boot off a file on an encrypted volume without booting off the encrypted volume?

Turns out though that you can still Boot to VHD in a few other ways. You can partition your drive with a Bitlocker'ed C: and an unencrypted D:, or you can get a second spindle. That means, you can get another hard drive and put it in the slot when your DVD/CD usually goes. That's what I decided to do.

I bitlockered my 256 gig OCZ Vertex SSD, and I have a D: drive that is my 160 gig random no-name SATA drive. On that drive I only put demo VHDs.

I had to go into the BIOS of my Lenovo W500 and add the drive to the "boot order" in order to make it spin up on boot and be available to Windows. Then, since I can't really be sure of it's drive letter that early, I changed the syntax of my BCDEdit settings a bit. Figured I'd let Windows figure it out, so instead of [D:] I used [LOCATE]. Like this:

C:\>bcdedit /copy {current} /d "My New VHD Option"
C:\>bcdedit /set {guid} device vhd=[LOCATE]\<directory>\<vhd filename>
C:\>bcdedit /set {guid} osdevice vhd=[LOCATE]\<directory>\<vhd filename>
C:\>bcdedit /set {guid} detecthal on

Now, when I'm booted into my VHD, I see this:

 Booted to VHD with a Bitlocker'ed original C:

What are we seeing?

  • My D: drive is my original boot SSD. It's marked with a lock icon. I can't access it right now.
  • My C: drive is the whatever.vhd that I booted off of. I made it 40gigs, so it is. (The actual file is 15gigs, but it "blows up" while I'm running on it. It'll shrink back down when I'm not booted off it.
  • My E: drive is some system partition I don't know about.
  • My F: is the Second Spindle that all my VHDs live on.

But, how can I get access to my secure C: drive when I'm booted into this insecure world? Of course, we don't want the bad guys to get in there, which makes sense.

If I double click, I see this:

Getting access to a BitLockered Drive

These options are all settable with Group Policy I think, but my choices are to add a really complex Password to get access to this drive or use my Smart Card. I can also use the recovery key that I saved in a secure location when I originally locked the drive.

I unlock it, and I see this:

Booted to VHD with an unlocked bitlocker drive

Now, just for the duration of this single boot, this disk is available to me. Very cool.

I was a little afraid when I Bitlocker'ed my machine just before a trip, but I'm feeling pretty good about it so far. I haven't noticed any perceptible slowdown but the FAQ says "single digit." I've heard numbers like 3%, but I haven't noticed it in the sense that my machine isn't suddenly "sluggish."

I'm VERY suspicious when corporate IT wants to reach out from Redmond and do something to my computer but this turned out great.

Here's the email I sent internally to my team today about Bitlocker:


As you know, MSIT is starting to put BitLocker on mobile machines. I recommend you upgrade any Vista machine to Windows 7 before running Bitlocker. As always, backup your data first.

I figured I should be the guinea pig for you guys, so I Bitlockered BOTH my Lenovo T60p and Lenovo W500 yesterday. These are my two corporate machines.

1a. On my W500 I was automatically prompted to reboot and enable the TPM (trusted platform module) in my BIOs. This enable step was automatic and only required me to press F10 once.

1b. On my T60p, I was told to enter the BIOs manually and enable it. There is no “TPM” section in the T60p. Instead, you go into Security, the Security Chip and turn on all the options under Security Reporting. Save your BIOS settings and reboot.

2. When prompted for a “PIN” I declined. This >=5 digit number would be a system-level password for when you start-up your machine. It's recommended, but ultimately up to you.

3. The process ran OVERNIGHT. It took at least 5 hours on each machine from what I can tell.

4. Next, go to the Start Menu and type “manage bitlocker.” You’ll want to save and print your recovery key. The Importance of this step cannot be overstated. Save this key and treat it like it is your immortal soul.

c. If Bitlocker smells any funny business you’ll get prompted for these keys. Murphy’s Law says this will happen 10 minutes before a major conference speech. No excuses for not having these. Without them, your computer is a brick. (That's kind of the wonderful point of BitLocker. ;) )

That scary part said, it works exactly as it should. It was easy and painless.

So far, we are not forced to lockup second drives/spindles. This means that you can STILL boot to VHD off of a second drive if that drive is NOT connected via USB (SATA, IDE, etc are still Ok). I’ve moved my BootToVHDs off into D:\ for this purpose. Regular VMs run just fine on the BitLocker'ed drive.

All in all, it works exactly as it should. I have no idea it’s there and my machine seems just as fast.

Let me know it you have any questions.


All in all, an interesting experience. I'm glad it went so well. You can even BitLocker USB drives as well with BitLocker To Go.

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Saturday, October 31, 2009 9:04:03 AM UTC
I recently ran into the same problem when my company rolled out Windows 7 with BitLocker'ed drives. Unfortunately all my drives are BitLocker'ed. Ignoring warnings that VHDs do not boot from BitLocker'ed drives, my early attempts at adding a VHD to the BCD resulted in triggering BitLocker and having to go into the office to get the key.. I ended up reverting to Virtual PC, but really miss my native hardware and not having the overhead of a second Windows 7 installation in memory. I will certainly try to get a second spindle for my laptop, as I tend to test and demo a lot of software I do not want on my primary installation.

BTW: How did you manage to alter your BCD without having to remove and reapply BitLocker? I was under the impression that all changes to the BCD resulted in triggering BitLocker.

On a completely unrelated note: altering your system language (f.e. from English to Dutch in my case) will result in triggering BitLocker as it changes your BCD.
Saturday, October 31, 2009 10:01:48 AM UTC
First, any time you make a big system change like that you only need to "suspend" bitlocker, make the change, then resume. I just updated my BIOS this way.

Pausing Bitlocker takes seconds, and is different from removing it and reapplying it. Plus, you just need to keep your recovery key with you if it does trigger. A good rule of thumb is to pause BitLocker on any major operation or install. That's overkill, but safest.
Saturday, October 31, 2009 3:06:01 PM UTC
"Plus, you just need to keep your recovery key with you if it does trigger"

Kind of defeats the purpose, does it not? I will use hardware based self encrypting disks (SED) as defined by the Trusted Computing Group (TCG) anytime over BitLocker. No hassle setting it up. It just works out of the box.
Monday, November 02, 2009 10:22:53 AM UTC
I'm a bit confused about this. It seems particularly insecure that your BitLocker volume can be unlocked with either the recovery key or your smart card. I thought the whole idea was for multiple levels of security, i.e. smart card + PIN + password? If someone steals your machine and swipes your smart card, you're scuppered.
Dave R.
Monday, November 02, 2009 5:01:22 PM UTC
How does Microsoft corporate IT feel about those carefully bitlockered laptops being backed up to WHS?

As I understand it, WHS saves the data unencrypted.

http://blogs.msdn.com/microsoftbob/archive/2009/01/04/windows-home-server-and-backups-for-the-paranoid.aspx

Obviously someone is more likely to steal your laptop in an airport rather than steal a WHS from your house but still...I'm curious what their dogfooding opinion is regarding this...
Monday, November 02, 2009 6:42:28 PM UTC
As noted in the comments, the right approach to protecting stored data from loss or theft is to use Self-Encrypting Drives as defined by the Trusted Computing Group. All the hard drive manufacturers are producing them, available now for both laptop and the data center. Encryption is in hardware directly in the drive electronics. User pre-boot authentication credentials are checked BY THE DRIVE before the OS is loaded - transparency, simplicity, and performance optimized. Drive-based encryption avoids all the issues associated with software-based encryption originating on the platform (eg, BitLocker). Encrypt stored data wherer it lives... in storage.
Michael Willett
Monday, November 02, 2009 9:29:07 PM UTC
Timothy Lee Russell - -Corporate Policy is that it's not OK to backup to non-secured locations, including WHS. We backup to shares internally, instead.

Dave - No, there's multiple levels. They could have my drive and smart card, but would need my SmartCard pin/password. Also, there can be a bootup pin also.

Michael - Agreed, if you can replace the hard drive with a Encrypting drive. However, there's a lot of drives out there (like the ones that 80,000+ MS employees use) as well as my new $600 OCZ Vertex SSD. This is a good solution for those existing drives.
Thursday, December 03, 2009 9:15:02 PM UTC
My Microsoft ADC refered me to this blog post wen i was asking him about a BSOD problem when booting from VHD on my Windows 7 laptop.

My company uses PGP Desktop whole disk encryption and i think this is causing a problem similar to that described here. My problem is that although the drive is actually unlocked by the PGP boot process, at some point during the bootup of the VHD it bluescreens. I think i would possibly be ok if i could just find a way to insert the relevant PGP drivers into the VHD image and make the necessary changes in the registry of the VHD image so the drivers were loaded. I think this is my chicken and egg issue :-)
Ian Cummings
Monday, February 01, 2010 7:25:24 PM UTC
Scott, great information as always thank you. The details will certainly come in handy in the future with the configuration detailed above.

"If Bitlocker smells any funny business you’ll get prompted for these keys. Murphy’s Law says this will happen 10 minutes before a major conference speech. No excuses for not having these. Without them, your computer is a brick."

Right on. To add to this it seems quite obvious, but I always tell those individuals setting up BitLocker to not leave the USB with the keys plugged in to the machine or lying around, as it is like leaving the keys to the car on the hood. But on the flipside, they can't be too far away; an alternative.... memorize the keys from the print out. Yeah right!

Also, if anyone comes across this and needs just the details on making your drive 'Bitlocker'ed' (as Scott called it :) ), check out the following detailed post:

How To: Set Up BitLocker Full Disk Encryption + Pre-Boot Pin in Windows 7 Ultimate:
http://allen-conway-dotnet.blogspot.com/2010/01/how-to-set-up-bitlocker-full-disk.html

This details the actual setup of BitLocker which may also be helpful to those with a single system partition, or just initial setup. There seem to be lots of walkthroughs on TechNet, but I had to piece several together to get the 1 needed recipe. Thanks again for the info!
Monday, March 01, 2010 6:02:26 AM UTC
Hi Scott and folks,

I know this question is probably not relevant to the blog post, but given that there are some good exchange of bitlocker related information, I thought I could seek some expert advise here as I had tried google for answer but to no avail.

I had recently try to bitlock my primary partition that's currently running Windows 7 64bit Ultimate edition. I have a primary disk, partition into 3, C: & D:, (both NTFS) with the third partition being EXT4 format running Ubuntu OS. I uses Windows 7 boot manager, to boot to Windows 7 and Ubuntu. I wanted to bitlock the partition C:, so I turn it on, and the setup wizard was basically smooth and the system went into the encryption phase. At about 25% of the encryption process, I got a pop up dialog that says "The disk has one or more errors, run chkdsk /r and if the error still persists, it might indicate hardware failure".

I did a chkdsk /r twice (each time it'll be reboot into console and check), but after that, when the encryption process restarts, it'll pop up with the same error again.

I am not sure if it has to do with the dual boot but I don't think so since it's still running Windows bootmanager. Can you think of the possible cause of the problem, other than suggesting that the hardware is faulty (which is unlikely as I have done some disk check, and there's no indication of problem) and the net doesn't have any good advises on this.

Appreciate your help here!
Tuesday, May 04, 2010 4:11:32 PM UTC
Please can you tell me how to remove the lock from the hard disk drive ? it looks similar to the 2nd pic of yours.

Please provide me proper steps.

Thanks a lot in advance ! :D
don2222
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.