From 9d0b60e3d7a4c951ec33a4e0923cd8e1d05acd5b Mon Sep 17 00:00:00 2001
From: Matthew Endsley <mendsley@gmail.com>
Date: Tue, 9 Dec 2025 07:53:56 -0800
Subject: [PATCH] Bypass default encryption policy when expanding sandbox vhdx

This fixes the following error when running on machines with a policy to
enforce bitlocker encryption on fixed drives

```
failed to create scratch layer: failed to expand sandbox vhdx size to #### bytes: FSCTL_EXTEND_VOLUME \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}: The media is write protected.
```

Fixed: #2464
Signed-off-by: Matthew Endsley <mendsley@gmail.com>
---
 internal/wclayer/expandscratchsize.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/wclayer/expandscratchsize.go b/internal/wclayer/expandscratchsize.go
index 35fcbedb3c..7a1951f241 100644
--- a/internal/wclayer/expandscratchsize.go
+++ b/internal/wclayer/expandscratchsize.go
@@ -9,6 +9,7 @@ import (
 	"syscall"
 	"unsafe"
 
+	"github.com/Microsoft/go-winio/vhd"
 	"github.com/Microsoft/hcsshim/internal/hcserror"
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"go.opencensus.io/trace"
@@ -75,7 +76,7 @@ func attachVhd(path string) (syscall.Handle, error) {
 	if err != nil {
 		return 0, &os.PathError{Op: "OpenVirtualDisk", Path: path, Err: err}
 	}
-	err = attachVirtualDisk(handle, 0, 0, 0, 0, 0)
+	err = vhd.AttachVirtualDisk(handle, vhd.AttachVirtualDiskFlagBypassDefaultEncryptionPolicy, nil)
 	if err != nil {
 		syscall.Close(handle)
 		return 0, &os.PathError{Op: "AttachVirtualDisk", Path: path, Err: err}