Locking down a Virtual Machine with BitLocker

BitLocker is Microsoft’s volume encryption solution built into several versions of Windows since Windows Vista. (There is an excellent Open Source alternative in TrueCrypt, but it just has that 3rd party feel to it. That and this particular task is easier with TrueCrypt so you wouldn’t need my help)

Normally, BitLocker use the TPM (i.e. Trusted Platform Module – see Wikipedia) to use your physical hardware as a factor in the encryption key, and leverages the key-toting abilities of the TPM at boot time. So long as your hard drive remains inside your machine it can boot. Take it out, and it’s just a mess of encrypted junk (Although your backup key can still unlock it).

I’m guessing that if you landed here, you are keenly aware of Bitlocker and it’s uses. You may have already tried to use BitLocker on a Virtual Machine and failed. This article is for you. – read on!

Continue reading “Locking down a Virtual Machine with BitLocker”

Registry Setting to Prevent windows from expanding native booted vhd

Windows 7, 8 (and server 2008r2) allow you to boot them natively from a vhd. The steps to set this up are readily available on your favorite search engine. Where your search engine might fail you is if that VHD happens to be dynamically expanding, and you do NOT want it expanded to full size.

 

Here is the registry setting you are looking for – this will prevent windows from expanding the vhd:

You can load the registry hive in another instance of windows, or even from the windows install CD.

 

HKEY_LOCAL_MACHINE\ControlSet001\services\FsDepends\Parameters\VirtualDiskExpandOnMount

You might as well change it in all the ControlSets

 

Change the value from 1 to 4.

Client Hyper-V Issues in Windows 8 Consumer Preview–Release Preview Update

Update: After having all kinds of stability and performance issues with VirtualBox on the Win8 Release Preview, I decided to try Client Hyper-V again. Guess What? They fixed the networking issues!! Your clients can now use bridged networking without MAC address conflicts. There is still no graphic acceleration, having it installed breaks other virtualiztion software (although a quick bcdedit can fix that temporarily). I have modified things below accordingly.

 

If you were considering ditching VirtualBox for Client Hyper-V in Windows 8, well don’t do it just yet (unless you are having problems with VirtualBox). Enabling the Hyper-V hypervisor has performance and stability issues with host applications, there are all kinds of issues with the networking, it just doesn’t perform all that well, and there is absolutely zero graphics acceleration. And if you enable it, other Virtualization software will not work right.

If you remote desktop into your VM you can at least get sound, but on my relatively well endowed machine, the remote desktop was sluggish – more sluggish than RDP over the internet.

Despite Hyper-V being a low-level hypervisor, VirtualBox is blowing it out of the water in all respects. The networking is rock solid, performance is screaming(something changed from CP to RP, or some updated in VBox, cause the performance hasn’t been so hot), and you get sound and 2d / 3d acceleration(This doesn’t work at all on my machine) (Oh, and you don’t have to boot to an IDE drive)

Hopefully some of this gets worked out in future releases

Windows 7, UEFI vs BIOS, GPT vs MBR notes

I’ve been digging and experimenting quite a bit with the boot processes in Windows 7 (64-bit only), trying to accomplish completely unsupported things.

Here’s a couple things I have learned that you might find helpful

  • 32-bit Windows cannot boot uefi, nor can it be booted from a (microsoft) efi bootloader. This includes Thin PC.
  • The actual windows partition and installation doesn’t seem to care how it is booted – and it doesn’t matter how it was installed:
    • For UEFI, \Windows\system32\winload.efi is used to boot
    • For BIOS, \Windows\system32\winload.exe is used instead
    • Both sets of files exist regardless the type of system windows is installed on, and can be used interchangeably – I have taken a windows folder installed on a UEFI machine and booted in on a BIOS machine, and vice versa
  • Windows Image Backups are always MBR, even if the source drive was GPT. (at least for the partition containing windows)
  • Windows Image Backup’s recovery tool will not allow you to restore from a UEFI machine to a BIOS machine but…
  • Because the image is MBR, you can boot it on a BIOS machine with a little work