Forum Discussion
Encrypted vhdx moved to new host, boots without pin or recovery key
Hyper-V environment. Enabled VTPM on guest Server, 2022 OS and encrypted OS drive C:\ with BitLocker. Host server 2022 has physical TPM. Shut down guest OS and copied vhdx file to another Hyper-V host server that is completely off network (also server 2022 with a physical TPM). Created a new VM based on the "encrypted" vhdx. I was able to start the VM without needing a PIN or a recovery key. Doesn't this defeat the whole point of encrypting vhd's? Searching says that this should not be possible, but I replicated it twice on two different off network Hyper-V host servers. Another odd thing is that when the guest boots on the new host and you log in, the drive is NOT encrypted. So, where's the security in that? Does anyone have any ideas on this or if I'm missing something completely? Or have I just made Microsoft angry for pointing out this glaring flaw??
3 Replies
Hello benlewis12,
What you observed is expected behaviour and not a flaw.
When BitLocker is enabled on a VM without vTPM present at provisioning time, the OS drive is typically protected with a clear key protector. That means the volume is encrypted but automatically unlocked at boot without TPM validation. In that state, copying the VHDX to another host will not trigger recovery because no TPM bound protector exists.
When you create the VM with vTPM enabled before installing the OS, BitLocker detects a TPM during provisioning and seals the Volume Master Key to that vTPM. The protector becomes TPM based. If you then move the VHDX to another host and attach it to a new VM with a different vTPM identity, PCR measurements change and BitLocker correctly enters recovery mode.
Key points:
BitLocker security depends on the active key protectors, not on the mere presence of encryption.
If you enable vTPM after BitLocker was already configured, the existing protector set does not automatically convert to TPM only protection.
You must verify with:- manage bde status
- manage bde protectors get C:
If you see a Clear Key or no TPM protector, suspend and re enable BitLocker so that the VM reseals the key against the vTPM.
So vTPM does not only work during fresh install. It works whenever BitLocker is configured to use a TPM based protector. The difference you saw comes from how BitLocker was originally provisioned, not from a Hyper V bug.
I checked and I had both TPM and PIN as well as numerical password set on C:\ for the Key Protectors. I suspended and re-enabled BitLocker then moved the vhdx to an offline HyperV host. After creating a VM based on that vhdx It did not prompt for a PIN nor a recovery key on boot up.
As a further test, I turned off BitLocker on C:\ drive on my test VM and removed the bitlocker role completely and then rebooted. Re-added BitLocker role, rebooted and set up BitLocker again. I chose the enter a PIN option and rebooted again so encryption could be done. Once that completed, output of manage-bde -status showed:
Key Protectors:
TPM And PIN
Numerical Password
Network (Certificate Based)
Shut down VM, copied vhdx to an off network HyperV host. Created a new virtual machine and attached the vhdx. Could boot it up without a PIN or recovery key. Once OS was running, logged in and C:\ was NOT encrypted and BitLocker role was not active on the server.
I definitely appreciate your responses but apparently, I'm still missing something.
Thanks,
Ben
I just wanted to post an update on this. I created a new VM but made sure to enable VTPM prior to installing the OS. Once the VM was up and running, I shut it down and copied the .vhdx to another off-network Hyper-V Host, created a new VM based on the .vhdx I copied over and attempted to boot. It prompted for a recovery key (as it should). So, my question is does VTPM only work if you enable it during a fresh VM install or is there a "bug" in Hyper-V where if you enable VTPM on an existing VM, it doesn't work as designed?
