Containers Fail To Start When Fixed Drive Bitlocker Is Enforced

[grochoge]

Creating this based on docker/for-win#14569 as they indicated they won't fix the issue.

When Windows is configured to require BitLocker on fixed drives, containers fail to start on Docker/Moby versions greater than 27.4.1 due to error: docker: Error response from daemon: FSCTL_EXTEND_VOLUME \?\Volume{GUID-HERE}: The media is write protected

I believe this was introduced by commit 6901c20 by @ambarve (although I have not tested reverting this).

The real issue is Windows has no way to require encryption on physical drives while allowing virtual drives to remain unencrypted (as far as I know).

Can this be fixed? Ideally a setting would be introduced in Windows to exempt VHDs from encryption. But perhaps as a workaround the above commit could be reverted/gated to only apply to systems without encryption enforced?

Or Bitlocker could be enabled on drives created by hcsshim.

[grochoge]

I've confirmed that commenting out the call to expandSandboxVolume in vendor\github.com\Microsoft\hcsshim\internal\wclayer\expandscratchsize.go allows me to run containers again with Moby v28.2.2-318-gf4ddb1fd2f

[kent-sondej]

Thanks for confirming @grochoge - what happens from here?
Would be nice to hear from some of the maintainers - if users with bitlocker enforcement are just cut off from versions above 27.4.1 forever