Friday, April 22, 2011

Am I really asking too much of Hyper-V VHD boot and BitLocker?

I have a laptop on which I originally had a BitLocker secured Windows 7 installation. I've replaced the hard disk with something bigger, and gone for Windows 2008 R2 to give me the ability to run 64bit clients under HyperV.

To add in a complication this laptop does not have a TPM, but by using local GP I've enabled BitLocker in the OS and use the USB key to boot.

Want i want to do is run the old Win7 install as a VHD. Either as a guest of the OS, or a boot from VHD.

Primary Challenge - Run a guest OS
Challenge 1: image the BitLockered disk.
Solution: external USB chassis for the SATA drive and connect to the machine, run WinImage to convert the hard disk to a VHD.

Challenge 2: boot the VHD in a VM (remember it's a BitLockered drive!) when HyperV does not support USB devices.
Solution: use WinImage (again!) to create a .fdp file of 1.44MB and copy the BitLocker startup key file to it, DON'T PANIC - it's a floppy image that is itself hosted on a BitLockered drive so is no less secure.

Challenge 3: get the guest to boot.
Partial Solution: attach the .fdp image to the machine and it boots OK past the BitLocker bit, but the OS boots crashes out with bad hardware. I tried another boot and it blue screened on me. Fortunately i could attach a Win7 ISO and boot into the repair phase (still able to unlock the BitLockered drive with the .fdp floppy), but the repair option does not fix anything.

Interesting Challenge: HyperV has hot key combo of Ctrl-Alt-<left arrow> to release the mouse from a dos window. When this is the rotate combination for a touch laptop... C-A-D is your friend releasing control back to the host OS

So, that challenge was paused for a bit

Secondary Challenge - boot from VHD instead
Challenge 1: image the BitLockered disk.
Solution: already done!

Challenge 2: create the BCD entry
Solution: follow the many helps out there - this is the one I followed http://technet.microsoft.com/en-us/library/dd799299(v=ws.10).aspx

Challenge 3: get it to boot
Solution: that didn't work either. BCD entry is corrupt - i guess this might be the BitLocker setup that is confusing the boot sequence.


So, if you reached this far.. Is it possible to have have a BitLockered machine, that can either:
A) boot a guest OS that is also BitLockered ?
B) alternatively boot to VHD with a BitLockered VHD?
And all on one partition 'cos I cannot be bothered to guess partition sizes for now!

FWIW I think a) is unnecessary (i can remove bit locker on the original build and create a VHD) but b) is desirable as otherwise this OS install is exposed to data loss if the laptop is lost or stolen.

Ideally I'd like option B because then the VHD build has the full hardware environment, especially USB drives and so on.

No comments: