It seems in the world of software there is a constant battle between software personnel and security personnel. When new features roll out making life better for developers, security often has a need to lock them down making it more difficult again. This is true for being able to experiment with new operating systems. Features like virtualization has made life easier, but the need for encryption has made it harder again. In Windows, starting with version 7, it is possible to boot using a virtual hard disk (VHD), an entire hard disk inside of one file. This method allows for the operating system to run run directly on the bare metal of the computer, thereby offering greater compatibility with devices, since there are no extra virtualization layers. To use this feature with Windows 7, in general, the VHD needs to be located on an internal, unencrypted disk.
In many enterprises whole disk encryption is in use to protect data from being vulnerable if a device is lost or stolen. BitLocker Drive Encryption is one of the software packages that enables this functionality. However, once it is turned booting from a VHD is not possible if the file resides on the operating system's partition because it will be encrypted. Fortunately there is a possible workaround, depending on the state of your current hard drive. If you have some significant free space and some patience you can get this feature working by repartitioning your hard drive. The following steps show what I needed to do to get it working on my machine, which had not yet been prepped for BitLocker, so your mileage may vary.
- Open a command prompt as an Admin
- Type "diskpart"
- Type "list disk"
- Type "select disk [x]", where [x] is the number (column ###) of your disk
- Type "list partition"
- Type "select partition [x]" where [x] is the number (column ###) of your OS partition
- Type "shrink querymax"
If the available reclaimable bytes are less than what you need then you can try some methods to increase that space, then repeat the steps above. You can also try these steps by opening a command prompt in Windows Setup and Recovery as there won't be any files in use that way.
Otherwise, for the risk adverse, now is the time to consider backing up your hard drive and/or continue on
- Type "shrink desired=[x]" where [x] is the size of the amount you want to shrink
At this point I needed to prep my drive for BitLocker. If you already have BitLocker installed you could also use the diskpart "extend" command to expand your current system partition instead of the steps below. This can be a bit trickier depending on how your partitions were originally created on your hard disk, since the space needed for the system partition needs to be contiguous. If you need to prep your drive for BitLocker perform the following steps, continuing from above.
- Type "create partition primary"
- Type "active"
- Type "assign letter=S"
- Type "format fs=ntfs quick"
- Type "exit"
- Type "bcdboot C:\windows /s S:"
- Type "shutdown /r
Perform all steps necessary to enable BitLocker Add VHDs to your S: drive and configure as necessary (These files will NOT be encrypted, so you don't want to put anything on it that could potentially damage you or some other entity should the computer be lost or stolen).