Skip to main content

Running Bitlocker on a Virtual computer

Just for testing it could be nice to run Bitlocker on a virtual Windows. But as everybody knows (or should know), you need TPM or a USB stick to be able to run Bitlocker encryption on the disk.

Or do we?

We can actually use anykind of removable disk, not only USB stick, and a virtual floppy will do the trick. So we just need to create a virtual floppy in our virtualization software. I use Hyper-V as example here but it works just as well in VmWare, thanks to Christian Mohn the vNinja for testing it out.

The first thing we have to do is to create a group policy allowing us use Bitlocker without a compatible TPM. Se picture to find the setting.

So the next step is to create the virtual floppy in "Hyper-V Manager", a simple wizard and you can off course just copy the empty disk to all computers you want to use Bitlocker on. It should be formated.

Mount the floppy on the computer you wish to encrypt with Bitlocker and start it up.

We are now ready to enable bitlocker and we need to do it from a command line, because the buildt in tools only work when you use TPM or USB stick.
The command which need to be run as administrator is:
    manage-bde.wsf -on C: -rp -sk A:

Here you will see both the External Key and Numerical Password. The numerical password ID are the number (Key ID) the computer will ask for when it need to recover, and the password are the key you need to type in. You can later go into Bitlocker manager and print this out or save it to a new location. You might event set it up with a group policy to save the keys in Active Directory, or use Microsoft Bitlocker Administration And Monitoring (Mbam) for central collection.

After a reboot the computer will start encrypting the disk. This method works on both client and server with all versions that have bitlocker possibility, yes event Windows 8 developer preview, thats why you see the blue ribon around the command prompt window above ;-)

The proof, a Hyper-V computer with Bitlocker enabled

Popular posts from this blog

Changing Windows product key (license) for a MDT OS deployment task

Creating a new OS deployment task in MDT you will be asked to specify product key

That’s easy enough, but what if you type in the wrong key or just want to change it (add it) later? You might even have gotten a new MAK.

That is not as easy, you cannot do it from the graphical interface, you have to do it from one of the configuration files. Well you might to it from graphical interface by typing it in every time deploying a computer gets deployed but that is not a great solution.

MDT - The task sequence has been suspended. LiteTouch is trying to install applications

Every now and then I get this error message when fuelling a computer with MDT:
"The task sequence has been suspended. LiteTouch is trying to install applications. This cannot be performed in Windows PE."

How to get and use the Windows key from UEFI/BIOS

I found myself in the situation that I needed to get the Windows key out from the ACPI in the UEFI bios and preferable get to use it in a task sequence in MDT.

There are different ways of doing this, but I wanted to do this with little code and easy to understand.
There is a nice tool created to get the key on github, created by Christian Korneck, called get_win81key. This tool gives you the key in plane text. You can get it

If I were supposed to do this manually, I now would just take that key and type it in with slmgr command or in the GUI. But I want to do this within a task in MDT.
Testing a couple of solutions without using the get_win8key with my great scripting guru colleague HÃ¥vard ( and figuring out that it cannot be done with default powershell stuff, it needs more code. Therefore, we quickly figured out that some use of the “get_win8key” files is the easiest way, but we need a way of setting the output fro…