Windows containers won't start after upgrading to 4.38.0

[markstz]

Description

After upgrading from 4.37.1 to 4.38.0 on Windows 11 it is no longer possible to start any Windows Docker container.

Attempting to start one results in a FSCTL_EXTEND_VOLUME error with the text The media is write protected.

I have tried this on two separate PCs with the same result every time.

Reproduce

docker run --rm -it mcr.microsoft.com/windows/servercore:ltsc2019

Expected behavior

The Docker should start the container.

docker version

Client:
 Version:           27.5.1
 API version:       1.47
 Go version:        go1.22.11
 Git commit:        9f9e405
 Built:             Wed Jan 22 13:41:44 2025
 OS/Arch:           windows/amd64
 Context:           desktop-windows

Server: Docker Desktop 4.38.0 (181591)
 Engine:
  Version:          27.5.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.11
  Git commit:       4c9b3b0
  Built:            Wed Jan 22 13:40:41 2025
  OS/Arch:          windows/amd64
  Experimental:     false

docker info

Client:
 Version:    27.5.1
 Context:    desktop-windows
 Debug Mode: false
 Plugins:
  ai: Ask Gordon - Docker Agent (Docker Inc.)
    Version:  v0.7.3
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-ai.exe
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.20.1-desktop.2
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-buildx.exe
  compose: Docker Compose (Docker Inc.)
    Version:  v2.32.4-desktop.1
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-compose.exe
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.38
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-debug.exe
  desktop: Docker Desktop commands (Beta) (Docker Inc.)
    Version:  v0.1.4
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-desktop.exe
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-dev.exe
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.27
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-extension.exe
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-feedback.exe
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.4.0
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-init.exe
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-sbom.exe
  scout: Docker Scout (Docker Inc.)
    Version:  v1.16.1
    Path:     C:\Users\user.name\.docker\cli-plugins\docker-scout.exe

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 73
 Server Version: 27.5.1
 Storage Driver: windowsfilter
  Windows: 
 Logging Driver: json-file
 Plugins:
  Volume: local
  Network: ics internal l2bridge l2tunnel nat null overlay private transparent
  Log: awslogs etwlogs fluentd gcplogs gelf json-file local splunk syslog
 Swarm: inactive
 Default Isolation: hyperv
 Kernel Version: 10.0 22631 (22621.1.amd64fre.ni_release.220506-1250)
 Operating System: Microsoft Windows Version 23H2 (OS Build 22631.4751)
 OSType: windows
 Architecture: x86_64
 CPUs: 16
 Total Memory: 31.67GiB
 Name: UKSTZLT033
 ID: 4498754a-09d1-4fb4-b98c-499ced6c5730
 Docker Root Dir: D:\ProgramData\Docker
 Debug Mode: false
 Labels:
  com.docker.desktop.address=npipe://\\.\pipe\docker_cli
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Diagnostics ID

E9D44797-D10F-4B36-A1E4-9313D94640B3/20250203101941

Additional Info

No response

[hordurmarhafsteinsson]

I have the exact same issue. Windows containers on Windows 11.

[lvlaanderen]

From my testing this seems to happen when BitLocker is being used (there is a registry hack to prevent the error, but it also disables security features of BitLocker)

[ebriney]

Hi, I tried to reproduce it, upgrading from old version, but everything is working fine on my machine. Can you check ACL, just in case:

 Get-Acl C:\ProgramData\Docker | fl *


PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\Docker
PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData
PSChildName             : Docker
PSDrive                 : C
PSProvider              : Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId   :
CentralAccessPolicyName :
Path                    : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\Docker
Owner                   : BUILTIN\Administrators
Group                   : NT AUTHORITY\SYSTEM
Access                  : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule}
Sddl                    : O:BAG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)
AccessToString          : NT AUTHORITY\SYSTEM Allow  FullControl
                          BUILTIN\Administrators Allow  FullControl
AuditToString           :
AccessRightType         : System.Security.AccessControl.FileSystemRights
AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

If it's bitlocker, there is nothing we can do on our side.

[eric-armbruster-snkeos]

I experience the exact same issue with Windows 11. I did not see this issue running on Windows 10.

docker version

Client:
 Version:           27.5.1
 API version:       1.47
 Go version:        go1.22.11
 Git commit:        9f9e405
 Built:             Wed Jan 22 13:41:44 2025
 OS/Arch:           windows/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.5.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.11
  Git commit:       4c9b3b0
  Built:            Wed Jan 22 13:40:41 2025
  OS/Arch:          windows/amd64
  Experimental:     false

The issue seems indeed connected to Bitlocker. When Bitlocker is disabled, docker works as expected.

Another workaround is to temporarily disable the registry key FDVDenyWriteAccess.

[lvlaanderen]

Hi, I tried to reproduce it, upgrading from old version, but everything is working fine on my machine. Can you check ACL, just in case:

 Get-Acl C:\ProgramData\Docker | fl *


PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\Docker
PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData
PSChildName             : Docker
PSDrive                 : C
PSProvider              : Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId   :
CentralAccessPolicyName :
Path                    : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\Docker
Owner                   : BUILTIN\Administrators
Group                   : NT AUTHORITY\SYSTEM
Access                  : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule}
Sddl                    : O:BAG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)
AccessToString          : NT AUTHORITY\SYSTEM Allow  FullControl
                          BUILTIN\Administrators Allow  FullControl
AuditToString           :
AccessRightType         : System.Security.AccessControl.FileSystemRights
AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

If it's bitlocker, there is nothing we can do on our side.

This problem does not occur on version 27.4.1 of docker engine, so I suspect that there is a change you made that has surfaced this problem For the time being we have switched to version 27.4.1 to solve the issue, but obviously that isn't a viable solution for the long term

[kiweezi]

I also had this issue after upgrading from 4.37.1 to 4.38.0. @eric-armbruster-snkeos's workaround fixes this for me, but my org's BitLocker policy will cause this to fail again when it refreshes:

Another workaround is to temporarily disable the registry key FDVDenyWriteAccess.

1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE. Change FDVDenyWriteAccess to 0.
2. Restart Docker and it should work as expected.

Not sure what has changed in this version, but it seems the issue has occurred in the past, apparently fixed in version 4.18. It is concerning however, that it took 6 years for the patch. I hope we can figure out a long term solution faster this time.

[ntx-ben]

If it's bitlocker, there is nothing we can do on our side.

What kind of mentality is this? Of course there is something you must do about this. It's not the first time DD breaks on Windows and it's not the last time either.

Please investigate this issue and fix it.

[mbednarczyk]

Ive faced this issue on two laptops already - is there any fix coming ?

[BiometricMA]

I am also affected by this issue on Windows 10 and had to instruct all members of our development department to roll back to a previous version of Docker Desktop, purge all downloaded images and created containers and disable update checks.

I don't see why BitLocker should effect operation of Docker Desktop, but BitLocker is enabled on all our computers.

Get-Acl C:\ProgramData\Docker | fl *

PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\Docker
PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData
PSChildName             : Docker
PSDrive                 : C
PSProvider              : Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId   :
CentralAccessPolicyName :
Path                    : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\Docker
Owner                   : BUILTIN\Administrators
Group                   : NT AUTHORITY\SYSTEM
Access                  : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystem
                          AccessRule}
Sddl                    : O:BAG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)
AccessToString          : NT AUTHORITY\SYSTEM Allow  FullControl
                          BUILTIN\Administrators Allow  FullControl
AuditToString           :
AccessRightType         : System.Security.AccessControl.FileSystemRights
AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

[marianob85]

Same here. Windows 11 23H2, BitLocker enabled

docker: Error response from daemon: FSCTL_EXTEND_VOLUME \\?\Volume{bec8b140-c569-4ce7-b9e4-120f3477b548}: The media is write protected.

[ebriney]

The issue appeared with the end of January Windows security patches from what we can see. I got the patches on my machine last week but Windows containers are still working, I have no issue and bitlocker is on.

[BiometricMA]

The issue appeared with the end of January Windows security patches from what we can see. I got the patches on my machine last week but Windows containers are still working, I have no issue and bitlocker is on.

Reverting to a previous version of Docker Desktop will remove the problem, despite the Windows upgrade still remaining.

[ebriney]

We are investing the issue with Microsoft

[rogerlarssoncgi]

Reverting to version 27.4.1 of Docker Engine solved the issue for me. 27.5.0 or 27.5.1 does not work with BitLocker on Windows 11.

[dsghi]

Downgrading to DD 4.37.1 (178610) has also fixed this for me; Disabling Bitlocker was a no-go with our security team.

[abaumg]

The issue is still present in 4.39.0

[pattakosn]

i also have this issue on w11 with latest docker desktop

[VJSRE]

I see this issue still happening with Docker Desktop 4.39.0 (184744)

[slund-erpgruppen]

Had the same issue. Couldn't set the registry value mentioned - So i've reinstalled a 4.35.1

[CamiloTerevinto]

This is still an issue with Docker Desktop 4.40.0

[markstz]

We are investing the issue with Microsoft

How is this possibly Microsoft’s fault when 4.37.0 still works and every version since 4.38.0 doesn't?

[bsousaa]

@markstz @CamiloTerevinto can you please share a diagnostics id?

[markstz]

I already have - when I raised this issue in https://github.com/docker/for-win/issues/14569#issue-2827091375

[bluewingtitan]

Docker Desktop 4.40.0, same error. Uninstalling and installing DD v4.37.1 (with DockerDesktopInstaller.exe install --disable-version-check) solved it for me. The only variable I changed was the installed docker (desktop) version. Disabling BitLocker is not an option (it literally isn't - company policy enforced via InTune).

[lvlaanderen]

We are investing the issue with Microsoft

@ebriney it seems to be a combination of a change in Docker Engine along with updates by Microsoft. The fact that 27.4.1 works fine indicates that it isn't all down to Microsoft.

Can we have an update on what is happening, please?

[CharityKathure]

Tested on Docker Desktop 4.40.0, Windows 11 with BitLocker enabled, unable to reproduce the issue. Windows containers start without errors.

[Sairam90]

Please enable users to download previous versions of Docker desktop in such cases, thank god , I didnt delete the earlier installation file

[LightValley]

Please enable users to download previous versions of Docker desktop in such cases, thank god , I didnt delete the earlier installation file

You can do that here: https://docs.docker.com/desktop/release-notes/

[nycdotnet]

Can repro on Windows 11 x64 24H2 fully patched, Bitlocker enabled, and Docker Desktop v4.41.0.

Enable Windows containers, make a new empty folder. Use this dockerfile:

FROM mcr.microsoft.com/dotnet/framework/sdk:4.8.1 AS build

RUN msbuild /version

Run docker build . in that folder.

Error:

FSCTL_EXTEND_VOLUME \\?\Volume{**removed uuidv4 here**}: The media is write protected.

[bsousaa]

@nycdotnet can you please share a diagnostics id?