Bitlocker Full Encryption

Discussion in 'Windows Virtual Machine' started by RonnieH3, Jul 21, 2021.

  1. RonnieH3

    RonnieH3 Bit poster

    Messages:
    7
    My organizations IT policy requires BitLocker with full disk encryption. My issue is that BitLocker is only encrypting the used space. I previously used VMware (same Windows image, same host machine) and had no issue encrypting the full disk. Has anyone ran into this issue before or have any suggestions?

    Mac Pro (Late 2013)
    Big Sur Version 11.3 Beta
    Parallels Desktop 16 Pro Edition Version 16.5.1
     

    Attached Files:

  2. mmika

    mmika Pro

    Messages:
    488
    What was a setting for BitLocker when it was initialized? There are two options: "Encrypt used disk space only" and "Encrypt entire drive"
    Did you see this setting? This is for activating BitLocker on system drive, i.e. "C:"
    A screenshot you have provided related to Hard Disk Drive device encryption support (AFAIK), it does not related to software encryption settings.
     
  3. RonnieH3

    RonnieH3 Bit poster

    Messages:
    7
    That setting is not available. When I select "Turn on BitLocker" the only option I have available is the hardware test. It completely bypasses the screen with the options you mentioned. I went in to the Group Policy and enforced full drive encryption (Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives) and it still only encrypts used space.
     
  4. Ajith1

    Ajith1 Parallels Support

    Messages:
    2,719
    Hi RonnieH3,
    We suggest you disable expanding disk by referring to this article then try to encrypt.
     
  5. RonnieH3

    RonnieH3 Bit poster

    Messages:
    7
    Tried that as well with no luck. Even went as far as completely isolating the VM from MacOS and encrypting the VM using parallels prior to initiating BitLocker with no luck.
     
  6. mmika

    mmika Pro

    Messages:
    488
    Hi RonnieH3, I've reproduced your issue.
    As workaround I would suggest to:
    1. Uninstall Parallels Tools
    2. Activate BitLocker and choose full disk encryption. There will be options during BitLocker setup process.
    3. After disk encryption complete, install Parallels Tools.
     
  7. RonnieH3

    RonnieH3 Bit poster

    Messages:
    7
    I attempted this twice and still no luck. I uninstalled Tools, decrypted, restarted and encrypted again. Still didn't get the screen to choose Full or Used Space. Once it finished, I checked the status (manage-bde -status) and it still showed used space only. I then set the GP to enforce Full Disk, decrypted once again, shut down the VM, restarted Parallels, turned on the VM and started the encryption. Still only encrypted Used Space. Is the removal of Parallels Tools the only change you made?
     
  8. mmika

    mmika Pro

    Messages:
    488
    The workaround I suggested, allowed to get window during BitLocker setup with encryption mode selection: full or used space only.
    By default once Parallels Tools installed BitLocker setup doesn't allow to choose encryption mode. I checked one more time and it works...
    Looks like Parallels Tools prevent BitLocker from encrypting full disk, because it advertises virtual HDD as thin provisioned drive. And Bitlocker does not allow some operations on these kind of drives, "-w" aka wipe free space, for example. If there is no tools installed virtual HDD is not advertised as thin provisioned, so full disk encryption mode is possible for this drive...
    Could you check one more time.
    1. Turn off BitLocker and wait for decryption process complete
    2. Uninstall Parallels Tools
    3. Reboot the VM
    4. Try to turn on BitLocker again. No need to encrypt drive if there would not be a window with used space or full disk encryption offer...
     
  9. RonnieH3

    RonnieH3 Bit poster

    Messages:
    7
    Turned off BitLocker, removed Parallels Tools using IOBituninstaller to ensure it was completely removed, restarted the VM, turned on Bitlocker and received the same screen. No option to select full or used, only "start encryption."
     

    Attached Files:

  10. RonnieH3

    RonnieH3 Bit poster

    Messages:
    7
    Could there a policy or setting somewhere that I've overlooked that could be causing it to encrypt used space instead of the default? The only BitLocker GP's that I've played with are the ones relating to OS drives. Surely settings for fixed or removable drives wouldn't affect how OS drives are treated.
     
  11. mmika

    mmika Pro

    Messages:
    488
    Hi RonnieH3, could you select in Parallels Menu: Help->Send Technical Data, send data to Parallels and share its ID?
     
  12. RonnieH3

    RonnieH3 Bit poster

    Messages:
    7
    Sure thing. Report ID 375132708
     

Share This Page