When running a Configuration Manager 2007 Task Sequence that has the "Enable BitLocker" task in it, the task fails to run and BitLocker is not enabled on the PC. Examining the SMSTS.log reveals the following error message:
Start executing the command line: OSDBitLocker.exe /enable /wait:False /mode:TPM /pwd:AD TSManager !--------------------------------------------------------------------------------------------! TSManager Expand a string: FullOS TSManager Executing command line: OSDBitLocker.exe /enable /wait:False /mode:TPM /pwd:AD TSManager ==============================[ OSDBitLocker.exe ]============================== OSDBitLocker Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD OSDBitLocker Initialized COM OSDBitLocker Command line for extension .exe is "%1" %* OSDBitLocker Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD OSDBitLocker Target volume not specified, using current OS volume OSDBitLocker Current OS volume is 'C:' OSDBitLocker FALSE, HRESULT=80004005 (e:\nts_sms_fre\sms\framework\tscore\encryptablevolume.cpp,364) OSDBitLocker Unable to find instance of 'Win32_EncryptableVolume' where 'DriveLetter' = 'C:'. Ensure that BitLocker Drive Protection is available for this device. OSDBitLocker m_pEncryptableVolume->Initialize( pszVolume ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,222) OSDBitLocker pBitLocker->Initialize( argInfo.sTarget ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\main.cpp,637) OSDBitLocker Process completed with exit code 2147500037 TSManager !--------------------------------------------------------------------------------------------! TSManager Failed to run the action: Enable BitLocker. Unspecified error (Error: 80004005; Source: Windows) TSManager Examining the PC reveals that the Trusted Platform Module (TPM) chip on the PC has been activated and initialized in the BIOS.
This error can happen if the drive where the Windows OS is being installed on has not been partitioned correctly for use with BitLocker. In order for a PC to be able to boot, the boot manager and boot files cannot be encrypted. For this reason, when BitLocker is being used, these files need to reside on a partition that is not encrypted by BitLocker, therefore two partitions need to be created. The first partition, which is usually 100MB - 300MB in size, is not encrypted, and is used as the boot partition that contains the boot manager and boot files. The second partition is encrypted, takes up the remaining disk space on the drive, and contains the Windows OS on it. The order of the partitions does not matter.
When manually installing Windows 7 or Windows Server 2008 R2 from the original installation source, such as DVD media, Windows Setup will automatically partition the drive into two partitions:
1. The first partition will be 100MB in size, is formatted NTFS, will be labeled "System Reserved", and a drive letter will NOT be assigned to it. Not assigning a drive letter to this partition effectively makes the partition hidden, although assigning a drive letter to it, either via Disk Management or DiskPart.exe, causes it to no longer be hidden. This partition will also be the boot partition and will contain the boot manager and boot files.
2. The second partition will take up the remaining disk space on the drive, will be formatted NTFS, will not contain any label, and will be assigned the drive letter C:. This partition is where the Windows OS is installed on to.
One of the reasons the manual installations of Windows 7 and Windows Server 2008 R2 from original installation source files automatically creates two partitions is in preparation for BitLocker use. Creating the two partitions during Windows installation makes enabling BitLocker much easier in the future.
Manual installations of Windows Vista and Windows Server 2008 from original installation source files did not automatically create the required partitions needed by BitLocker. This made enabling BitLocker in Windows Vista or Windows Server 2008 much harder once BitLocker was desired.
When deploying any version of Windows that supports BitLocker, including Windows 7 and Windows Server 2008 R2, via a ConfigMgr 2007 OSD Task Sequence, the Task Sequence will NOT automatically create the required partitions for BitLocker, whether deploying from an Operating System Install Package (original installation source files) or an Operating System Image. If the required partitions are not set up appropriately during the Task Sequence, when the "Enable BitLocker" task is attempted to be used, then the error will occur.
To resolve the problem, the drive needs to be partitioned correctly to support BitLocker. This can be done in one of two ways:
1. Erase the existing single partition on the drive and repartition the drive with two partitions. After repartitioning, format the partitions NTFS. The drawback to this method is that all data on the drive is lost during the repartitioning and format of the drive. This is a problem if USMT with local capture or hardlinking is being used. This method can be accomplished in a ConfigMgr 2007 Task Sequence by using the "Format and Partition Disk" task.
2. Shrink the existing single partition on the drive, and then using the newly freed space, create a new second partition. The newly created partition will actually be the second partition on the drive and not the first. As mentioned, partition order is not relevant when using BitLocker. This method does not erase any of the data on the drive and is desirable when using USMT with local capture or hardlinking. The drawback to this method is that it may take longer to set up, and can be problematic if the drive is low on disk space or highly fragmented. This method can be accomplished in a ConfigMgr 2007 Task Sequence by using the ZTIBde.wsf script from MDT integration
Method 1 is recommended in the following scenarios:
Method 2 must be used in the following scenarios:
Method 2 can actually be used in ANY of the above scenarios and may be desirable in a Task Sequence that handles multiple scenarios. Method 1 CANNOT be used in any of the scenarios listed under Method 2 as doing so would erase the data captured locally by USMT.
To implement the scenarios, follow the below instructions:
To use the "Format and Partition Disk" task in a ConfigMgr 2007 Task Sequence to automatically create the required BitLocker partition:
Notes on Method 1:
To use the ZTIBde.wsf script in a ConfigMgr 2007 Task Sequence to automatically create the required BitLocker partition:
Click on the "OK" or "Apply" button to save the Task Sequence.
The ZTIBde.wsf script leaves the newly created 300MB partition visible and assigned with the drive letter S:. If the partition is desired to be hidden, the drive letter needs to unassigned from the partition. To unassigned the drive letter and "hide" the partition via the ConfigMgr 2007 Task Sequence:
Notes on Method 2:
Manage-bde –status <Drive_Letter>
where <Drive_Letter> is the drive letter of the disk where BitLocker was enabled (without the brackets <>). For example, to check the encryption method and cipher strength on the C: drive, run the command:
Manage-bde –status c:
Hope this helps,
Frank Rojas | System Center Support Escalation Engineer
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
What about using BdeHdCfg.exe in your task sequence?
If following the above instructions, BdeHdCfg.exe iss not necessary.
Thank you very much. This is very useful information. My task sequence is now working correctly after folowing your steps!
Great article. Thanks for sharing
What addition information/logs should be seen if the task sequence still fails?
Thanks! Works with SCCM 2012 as well. I now just have a C: drive and the hidden partition.
I am trying to go from xpx86 to 7x64 and during the ZTIbde.wsf I am getting an error saying that it cannot find the "BCDBOOT.exe" in any of the normal locations, and im not finding anything good search for a solution. any suggestions?