Have you ever considered running BitLocker to encrypt the drives within a Virtual Machine running on, e.g. Hyper-V or VMWare? On the face of it, it seems a sensible thing to do, especially considering how portable VHDX and VMDK files are. Despite the process of enabling BitLocker for VMs being described online, you should be aware that it is not actually supported.
The Microsoft support statement is here:
Can I use BitLocker within a virtual machine operating environment?
BitLocker is not supported for use within a virtual machine. Do not run BitLocker Drive Encryption within a virtual machine. You can use BitLocker in the virtual machine management operating system to protect volumes that contain configuration files, virtual hard disks, and snapshots.
The VMWare support statement follows logically from Microsoft’s:
As the operating system vendor does not support this configuration, it is unsupported by VMware in a Player, Workstation, Fusion or ESX/ESXi virtual machine.
In the context of Active Directory Domain Controllers, Microsoft makes the following recommendations for securing virtual domain controllers:
If you implement virtual domain controllers, you should ensure that domain controllers run on separate physical hosts than other virtual machines in the environment. Even if you use a third-party virtualization platform, consider deploying virtual domain controllers on Hyper-V Server in Windows Server 2012 or Windows Server 2008 R2, which provides a minimal attack surface and can be managed with the domain controllers it hosts rather than being managed with the rest of the virtualization hosts. If you implement System Center Virtual Machine Manager (SCVMM) for management of your virtualization infrastructure, you can delegate administration for the physical hosts on which domain controller virtual machines reside and the domain controllers themselves to authorized administrators. You should also consider separating the storage of virtual domain controllers to prevent storage administrators from accessing the virtual machine files.
Source: Best Practices for Securing Active Directory
It will be interesting to see whether Microsoft change their support statement in future versions of Windows. I’ve not seen anything in Windows Server 2012 R2 to indicate a change, so it might be a while yet.
Actually, a change in guidance might be coming up due to a feature in Windows Server 2012 R2, enabling a feature that was part of Windows Server 2012, addressing these concerns.
Hyper-V in Windows Server 2012 R2 introduces a new feature called the “Generation 2 Virtual Machine” (Or Gen2VM, for short). This new type is capable of UEFI. UEFI is a requirement for BitLocker Network Unlock, which is the feature in Windows Server 2012 and Windows 8 I’m referring to. This feature (with some heavy requirements) allows for domain-joined machines to automatically unlock the BitLocker encryption on the system drive when (and only when) they’re connected to the corporate network. (ie they see the Certificate Authority, the DHCP server, the WDS Server and Domain Controllers).
The UEFI requirement for BitLocker Network Unlock is the only one that couldn’t be met within VMs, but with Gen2VMs we can.
It would be interesting to see if Microsoft will support this configuration and make BitLocker in Generation 2 Virtual Machines with Windows Server 2012 R2 supported.
I don’t think that Microsoft will change support stance here as it is not about supporting this configuration but rather about possibility of host OS being used to interact with encryption process on a Guest OS. IMO this support statement here is just a way to protect from legal point of view in case:
a/ will use VMs to play with BitLocker on its own
b/ Someone will use BitloCker on VM which will be overcome from host OS and will want to get with it on Microsoft.
It seems that Microsoft’s guidance has changed. The linked article was updated in 2018 and now reads as follows:
“Can I use BitLocker with virtual machines (VMs)?
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via Settings > Accounts > Access work or school > Connect) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy.”
Additionally, the VMware website states:
“Microsoft does not support the use of BitLocker on the bootable partition of a virtual hard disk. But BitLocker is supported on non-bootable partitions of a virtual hard disk, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 or Windows Server 2012 R2. For more information, see BitLocker Frequently Asked Questions (FAQ).
VMware support VMs that have valid BitLocker configuration. BitLocker is treated same as any other guest OS feature. However, support of the BitLocker feature is provided by Microsoft.”