BitLocker on Hyper-V

I installed Hyper-V Server 2008 R2 on a motherboard with a TPM and was able
to enable BitLocker. But I wanted to add the additional protection of a PIN
and USB key. I have been unable to get this to work.

I initially tried to enable TPM+PIN+USB with the following command:

manage-bde -protectors -add -tpsk C: -tsk F:

but each time I get the following error message:

ERROR: An error occurred (code 0x80310064)
Group Policy settings do not permit the use of a startup key and PIN.
Please choose a different BitLocker startup option.

I tried all the combinations of TPM+PIN, TPM+USB, and TPM+PIN+USB, but each
time got the above error message. (The exact code was slightly different for
TPM+PIN and TPM+USB, but basically the same failure.)

The limited Hyper-V menus don't have any way to change this policy and I was
unable to find any way to change the policy from the command line.

So I tried using a Windows 7 PC (with RSAT installed). Both the Windows 7
PC and Hyper-V were in the same WORKGROUP. I thought that by using the GUI
on the Windows 7 PC I should be able to enable these BitLocker options on the
Hyper-V machine.

But each attempt to connect with Server Manager or MMC got an error. I
don't recall the exact error message, but the error implied that the only way
to edit the policy was to have both computers in the same Active Directory
domain.

So I next installed the Standard version of Microsoft Server 2008 R2 on top
of my Hyper-V server and put them both in the same Active Directory domain.

From the VM I was able to connect to the Hyper-V server with both the Server
Manager and using the MMC snap-in. Since the inital error messages mentioned
a "Group Policy" I initially tried to edit the AD-DS policy thinking that
would affect all computers in my domain (and thus my Hyper-V server). But
that didn't work.

I then used the MMC and added a snap-in for the Group Policy Editor and
ensured that I selected my Hyper-V server as the target for the Local Group
Policy.

As far as I can tell I am now editing the policy on my Hyper-V server. But
nothing I tried seemed to work. I also tried rebooting to ensure that wasn't
my problem and after a reboot I could verify that the BitLocker policies I
had changed were the way I set them prior to the reboot. But I still got the
above error message when trying to enable TPM+PIN+USB with BitLocker.

I also tried completely decrypting the drive, that had previously been
encrypted iwth the TPM alone, and then rebooting. But still was not able to
enable TPM+PIN+USB.

When using the MMC from Windows 7 (in the same Active Directory domain) I
was going after:

Computer Configuration
Administrative Templates
Windows Components
BitLocker Drive Encryption

I tried several options, but in particular:

Operating System Drives
Require additional authentication at startup (Windows Server 2008 and
Windows Vista)

I thought this issue was isolated to using the Hyper-V server, but before
composing this question I formatted a 2nd hard drive and installed the
Enterprise version of Microsoft Server 2008 R2 with the Hyper-V role.
(Except for the hard drive this is all the same computer hardware I was using
for the Hyper-V server.) This seems to have the same problem, i.e., I can
enable BitLocker with the TPM alone, but not TPM+PIN, TPM+USB, or TPM+PIN+USB.

I am only really interested in solving this problem for the Hyper-V server,
but given that both the Hyper-V and full (Enterprise) server have the same
problem I suspect that whatever the fix is will solve both problems?

Thanks for any help you can provide.

I later found the resolution to this problem.

I had a trial version of Microsoft Server 2008 R2 and installed that in a VM
on Microsoft Hyper-V 2008 R2.

I put my Hyper-V primary partition into the same AD-DS domain with my Server
2008 R2 VM. (I'm not sure if the Hyper-V partition really needs to be in the
same domain? Or if I could have left it in the WORKGROUP?)

From the Server 2008 R2 VM I was able to manipulate the policy on the
Hyper-V primary partition.

I believe what was causing me all the problems (which prompted my prior
post) is that I enabled two different options. One mentioned Windows Server
2008 and Vista which I thought was odd, but thought that perhaps it meant all
the newer versions. I believe that Windows Server 2008 and Vista must have
different Bitlocker settings than are available on other versions of Windows
such as Server 2008 R2 and Windows 7.

The options I selected all mentioned "Allow" which I assumed meant that I
could "Allow" both sets of options. But in my case I should not have tried
to enable the options that mentioned Windows Server 2008 and Vista. Once I
only enabled the other option (I don't recall right now what it was called)
then I was able to enable BitLocker on my Hyper-V primary partition and use
both a PIN and USB key.

I found a resolution to my problem. In case anyone else runs into this
here’s what I did.

I had a trial version of Microsoft Windows Server 2008 R2 that I installed
as a VM on my Hyper-V 2008 R2 system. I put my Hyper-V primary partition
into the same Active Directory (AD-DS) domain as the Windows Server 2008 R2
VM.

I’m not sure if this was necessary or not? It might have been possible to
leave Hyper-V in WORKGROUP? The initial error message mentioned something to
the effect that I would need to use a full blown Microsoft Server to
manipulate the Group Policy. (I was not able to use RSAT from Windows 7.)
And maybe the installation of the Windows Server 2008 R2 VM alone would have
been sufficient to change the Hyper-V Server 2008 R2 policies?

From the Windows Server 2008 R2 VM I started MMC and clicked on “Add or
Remove Snap-In” and added the Group Policy Object Editor. At the first
dialogue box I clicked on the “Browse” button then “Another Computer” and
then another “Browse” button and then used the “Select Computer” dialogue box
to connect to my Hyper-V primary partition.

Once connected I navigated to the Computer Configuration, Administrative
Tools, Windows Components, BitLocker Drive Encryption, and then Operating
System Drives.

There were two options that looked like they might do what I wanted.
“Require additional authentication at startup” and “Require additional
authentication at startup (Windows Server 2008 and Windows Vista).” Both of
these were “Not Configured.” I changed them both to “Enable” given that all
the sub options mentioned “Allow” so I thought this should work.

I thought it was odd the second option mentioned “Vista” and did not mention
“R2.” I thought that perhaps this was a newer option, but since then my
guess it that the original Windows Server 2008 and Windows Vista must not
have all the same BitLocker options that are available on other versions of
Windows, i.e., in particular Windows Server 2008 R2 and Windows 7?

Given that Hyper-V is derived from Server 2008 I wasn’t sure which of the
two BitLocker options was appropriate to use. So I enabled them both.

All the error messages I mentioned in the original post most have been due
to the fact that I Enabled both sets of options. Once I put the “Require
additional authentication at startup (Windows Server 2008 and Windows Vista)”
back to “Not Configured” and only enabled “Require additional authentication
at startup” then I was able to run the manage-bde commands and setup
BitLocker on Hyper-V to use both a PIN and USB key.