From 6d5ca2bf908c021fafee0d95bc7ecd43ad876bf7 Mon Sep 17 00:00:00 2001 From: Andreas Heck Date: Tue, 24 Jun 2025 11:45:12 +0200 Subject: [PATCH 1/3] Document FSCTL_EXTEND_VOLUME read-only issue --- .../troubleshoot/topics.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md index 356db9f4ed0b..21aa928bcb77 100644 --- a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md +++ b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md @@ -379,6 +379,39 @@ Note some third-party software such as Android emulators will disable Hyper-V on Your machine must have the following features for Docker Desktop to function correctly: +### Docker Desktop with Windows Containers fails with "The media is write protected"" + +#### Error message + +FSCTL_EXTEND_VOLUME \\?\Volume{GUID}: The media is write protected + +#### Cause + +If you're encountering failures when running Docker Desktop with Windows Containers, it might be due to +a specific Windows configuration policy: FDVDenyWriteAccess. + +This policy, when enabled, causes Windows to mount all fixed drives not encrypted by BitLocker-encrypted as read-only. +This also affects virtual machine volumes and as a result, Docker Desktop may not be able to start or run containers +correctly because it requires read-write access to these volumes. + +FDVDenyWriteAccess is a Windows Group Policy setting that, when enabled, prevents write access to fixed data drives that are not protected +by BitLocker. This is often used in security-conscious environments but can interfere with development tools like Docker. +In the Windows registry it can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess. + +#### Solutions + +Docker Desktop does not support running Windows Containers on systems where FDVDenyWriteAccess is enabled. This setting interferes with the +ability of Docker to mount volumes correctly, which is critical for container functionality. + +To use Docker Desktop with Windows Containers, ensure that FDVDenyWriteAccess is disabled. You can check and change this setting in the registry or through Group Policy Editor (gpedit.msc) under: + +Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Fixed Data Drives -> Deny write access to fixed drives not protected by BitLocker + +Set this policy to "Not Configured" or "Disabled". + +Note: Modifying Group Policy settings may require administrator privileges and should comply with your organization's IT policies. If the setting gets reset after some +time this usually means that it got overriden by the centralized configuration of your IT department. Better talk to them before making any changes. + ##### WSL 2 and Windows Home 1. Virtual Machine Platform From ec94be7aacf40e68e087bd1a3d700c32d78659a3 Mon Sep 17 00:00:00 2001 From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> Date: Tue, 24 Jun 2025 13:39:24 +0100 Subject: [PATCH 2/3] Apply suggestions from code review --- .../troubleshoot/topics.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md index 21aa928bcb77..9b75b792ee48 100644 --- a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md +++ b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md @@ -383,7 +383,7 @@ Your machine must have the following features for Docker Desktop to function cor #### Error message -FSCTL_EXTEND_VOLUME \\?\Volume{GUID}: The media is write protected +`FSCTL_EXTEND_VOLUME \\?\Volume{GUID}: The media is write protected` #### Cause @@ -396,21 +396,20 @@ correctly because it requires read-write access to these volumes. FDVDenyWriteAccess is a Windows Group Policy setting that, when enabled, prevents write access to fixed data drives that are not protected by BitLocker. This is often used in security-conscious environments but can interfere with development tools like Docker. -In the Windows registry it can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess. +In the Windows registry it can be found at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess`. #### Solutions Docker Desktop does not support running Windows Containers on systems where FDVDenyWriteAccess is enabled. This setting interferes with the ability of Docker to mount volumes correctly, which is critical for container functionality. -To use Docker Desktop with Windows Containers, ensure that FDVDenyWriteAccess is disabled. You can check and change this setting in the registry or through Group Policy Editor (gpedit.msc) under: +To use Docker Desktop with Windows Containers, ensure that FDVDenyWriteAccess is disabled. You can check and change this setting in the registry or through Group Policy Editor (`gpedit.msc`) under: -Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Fixed Data Drives -> Deny write access to fixed drives not protected by BitLocker +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** > **Deny write access to fixed drives not protected by BitLocker** -Set this policy to "Not Configured" or "Disabled". - -Note: Modifying Group Policy settings may require administrator privileges and should comply with your organization's IT policies. If the setting gets reset after some -time this usually means that it got overriden by the centralized configuration of your IT department. Better talk to them before making any changes. +> [!NOTE] +> +> Modifying Group Policy settings may require administrator privileges and should comply with your organization's IT policies. If the setting gets reset after some time this usually means that it was overriden by the centralized configuration of your IT department. Talk to them before making any changes. ##### WSL 2 and Windows Home From 841a1351c80a19cc3229b3e1499d8f880dd9b684 Mon Sep 17 00:00:00 2001 From: aevesdocker Date: Tue, 24 Jun 2025 13:45:37 +0100 Subject: [PATCH 3/3] move location of content --- .../troubleshoot/topics.md | 64 +++++++++---------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md index 9b75b792ee48..17d946d1a8e1 100644 --- a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md +++ b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md @@ -379,38 +379,6 @@ Note some third-party software such as Android emulators will disable Hyper-V on Your machine must have the following features for Docker Desktop to function correctly: -### Docker Desktop with Windows Containers fails with "The media is write protected"" - -#### Error message - -`FSCTL_EXTEND_VOLUME \\?\Volume{GUID}: The media is write protected` - -#### Cause - -If you're encountering failures when running Docker Desktop with Windows Containers, it might be due to -a specific Windows configuration policy: FDVDenyWriteAccess. - -This policy, when enabled, causes Windows to mount all fixed drives not encrypted by BitLocker-encrypted as read-only. -This also affects virtual machine volumes and as a result, Docker Desktop may not be able to start or run containers -correctly because it requires read-write access to these volumes. - -FDVDenyWriteAccess is a Windows Group Policy setting that, when enabled, prevents write access to fixed data drives that are not protected -by BitLocker. This is often used in security-conscious environments but can interfere with development tools like Docker. -In the Windows registry it can be found at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess`. - -#### Solutions - -Docker Desktop does not support running Windows Containers on systems where FDVDenyWriteAccess is enabled. This setting interferes with the -ability of Docker to mount volumes correctly, which is critical for container functionality. - -To use Docker Desktop with Windows Containers, ensure that FDVDenyWriteAccess is disabled. You can check and change this setting in the registry or through Group Policy Editor (`gpedit.msc`) under: - -**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** > **Deny write access to fixed drives not protected by BitLocker** - -> [!NOTE] -> -> Modifying Group Policy settings may require administrator privileges and should comply with your organization's IT policies. If the setting gets reset after some time this usually means that it was overriden by the centralized configuration of your IT department. Talk to them before making any changes. - ##### WSL 2 and Windows Home 1. Virtual Machine Platform @@ -494,6 +462,38 @@ The Virtual Machine Management Service failed to start the virtual machine 'Dock Try [enabling nested virtualization](/manuals/desktop/setup/vm-vdi.md#turn-on-nested-virtualization). +### Docker Desktop with Windows Containers fails with "The media is write protected"" + +#### Error message + +`FSCTL_EXTEND_VOLUME \\?\Volume{GUID}: The media is write protected` + +#### Cause + +If you're encountering failures when running Docker Desktop with Windows Containers, it might be due to +a specific Windows configuration policy: FDVDenyWriteAccess. + +This policy, when enabled, causes Windows to mount all fixed drives not encrypted by BitLocker-encrypted as read-only. +This also affects virtual machine volumes and as a result, Docker Desktop may not be able to start or run containers +correctly because it requires read-write access to these volumes. + +FDVDenyWriteAccess is a Windows Group Policy setting that, when enabled, prevents write access to fixed data drives that are not protected +by BitLocker. This is often used in security-conscious environments but can interfere with development tools like Docker. +In the Windows registry it can be found at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess`. + +#### Solutions + +Docker Desktop does not support running Windows Containers on systems where FDVDenyWriteAccess is enabled. This setting interferes with the +ability of Docker to mount volumes correctly, which is critical for container functionality. + +To use Docker Desktop with Windows Containers, ensure that FDVDenyWriteAccess is disabled. You can check and change this setting in the registry or through Group Policy Editor (`gpedit.msc`) under: + +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** > **Deny write access to fixed drives not protected by BitLocker** + +> [!NOTE] +> +> Modifying Group Policy settings may require administrator privileges and should comply with your organization's IT policies. If the setting gets reset after some time this usually means that it was overriden by the centralized configuration of your IT department. Talk to them before making any changes. + ### `Docker Desktop Access Denied` error message when starting Docker Desktop #### Error message