Technical Blog‎ > ‎

Enable Windows BitLocker on the System Drive in VMware Player with a Virtual Key Storage Drive

posted Oct 15, 2020, 7:58 PM by Jingshan Du
The VMware Player which is free for non-commercial use does not support the virtual Trusted Platform Module (vTPM), and thus does not officially support BitLocker on the system drive in a Windows guest OS. Here a workaround is provided to enable BitLocker with minimal disturbance to normal user interaction by creating a virtual USB disk for boot-time authentication. 

1. Add a virtual USB disk to the virtual machine
Although not officially documented, you can add virtual USB devices, such as USB drives, to a virtual machine in VMware Player. This will serve as the key storage drive for BitLocker so you do not have to input an additional password when booting into the virtual machine.

To do this, you need to first create a small virtual disk (vmdk). If you only have VMware Player without other tools, you can add a new hard drive to your virtual machine and use that wizard to create a new vmdk file. It does not have to be large --even a few megabytes is enough. Then, locate the vmx file for your virtual machine (typically in the C:\Users\[username]\Documents\Virtual Machines\[name of the VM]\ or the location where the VM is stored). Open it using a text editor (e.g., notepad), and append the following content to the file:
ehci:0.present = "TRUE"
ehci:0.deviceType = "disk"
ehci:0.fileName = "pathToFile.vmdk"
ehci:0.readonly = "FALSE"
Note that the number "0" after "ehci:" specifies which USB port this virtual drive is inserted into. Make sure to replace "pathToFile.vmdk" with the actual path to the small vmdk file that you just created.

Now launch your virtual machine which already has a working Windows operating system. Go to Disk Management (you can search for it or right-click on the Windows Start button) and you will find a new drive "not initialized". Now initialize this drive in the right-clicking menu on the drive name left to the block diagram. Then, add a volume on this new drive and format it as either NTFS or FAT32 (does not matter).


2. Enable Windows to use BitLocker on the system drive without TPM presence

Briefly, search for "group policy" in the system or launch it directly by doing Win+R -> "gpedit.msc". Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives and double-click on "Require additional authentication at startup". Then, enable this policy and check on the option "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)".

Now you can go ahead and enable BitLocker on your system drive. You will be prompted to select either of the two methods for boot-time authentication: insert a  USB drive or enter a password. As entering an additional password at every boot is very annoying, you can now use the virtual USB drive that was just created for key storage. 
Comments