Hello,

My company has decided to encrypt all laptop hard drives using Bitlocker. I have configured MBAM and SCCM integration but realized while testing the MBAM clients wont install due to all laptops missing a System Partition. So far I can manually create the system partition so the client installs but I need to find a way to create the system partition on all laptops. Is this possible or is the only way to automate the partition creation during OSD? Hopefully this can be automated using a GPO or SCCM.

Thanks

Hi,
there is a builtin command in Windows 7 and later called BDEHDCFG.exe that creates a bitlocker partition on a computer with a running operating system.

try the following commandline: BdeHdCfg -target default -quiet

it can be distributed using Configuration manager as a package without sourcefiles.

More information: https://technet.microsoft.com/en-us/library/ee732026%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Regards,
J

If you only need to create a partition for bitlocker look at Jorgen post.

So if i get your question right. You already did the configuration change to the OSD task sequence to create all the partition you want and configure. 

You need a script to change the disk for all the active laptop in the field ? If so SCCM doesn't have any feature for this built in you will need to use scripts and deploy them. The tricky part with this is that you can severely break the remote computer if not careful.

If you are using windows 8+ you can use the storage command :https://technet.microsoft.com/en-us/library/hh848705(v=wps.630).aspx

If you are using windows you could use DISKPART. With diskpart if you know all the computer are the same you could make a txt file with all the command and just past it to diskpart. But like i said this is risky and would require testing.

You could also look into third party software some might have command line.

• Edited by Frederick Dicaire 16 hours 33 minutes ago

This is the last script I tried that failed when deployed from SCCM, when I run it manually it works.

"%windir%\system32\bdeHdCFG.exe" -target default -size 350 -quiet

Before this script I tried putting the command directly in the Run field for the package but it failed as well. 

I need to change it on all active laptops in the field yes. This needs to be done on mostly W7 laptops with around 10% of laptops using W8.1

I have not tried Diskpart yet. That might be worth looking into if I cant get the built in Bitlocker commands to work.

Totally agree with you on the risk, at a previous job we were told to remotely update a 3rd party encryption software on laptops over a VPN. The HD failure rate during testing was so high I had to refuse to deploy the package and come up with a solution to have remote techs perform the upgrade. 

Article of some one using a package to deploy what you are trying to do.

https://social.technet.microsoft.com/Forums/systemcenter/en-US/5b82f666-ad40-4620-a05c-5e0c4f82a4c7/need-to-run-bdehdcfgexe-on-all-my-machines-in-prep-for-bitlocker?forum=configmgrswdist

If you only need to create a partition for bitlocker look at Jorgen post.

So if i get your question right. You already did the configuration change to the OSD task sequence to create all the partition you want and configure. 

You need a script to change the disk for all the active laptop in the field ? If so SCCM doesn't have any feature for this built in you will need to use scripts and deploy them. The tricky part with this is that you can severely break the remote computer if not careful.

If you are using windows 8+ you can use the storage command :https://technet.microsoft.com/en-us/library/hh848705(v=wps.630).aspx

If you are using windows you could use DISKPART. With diskpart if you know all the computer are the same you could make a txt file with all the command and just past it to diskpart. But like i said this is risky and would require testing.

You could also look into third party software some might have command line.

• Edited by Frederick Dicaire Monday, August 24, 2015 3:17 PM

Hi,

Also note that the command will fail if you don't have the power connected to your laptop, you cannot run the command when running on battery..

Regards,
Jrgen

I tried the following script and it fails on 32 or 64 workstations.

"%windir%\sysnative\bdeHdCfg.exe" -target default -size 350 -quiet

The error reads "Cannot find the path specified"

I tried the following script and it fails on 32 or 64 workstations.

"%windir%\sysnative\bdeHdCfg.exe" -target default -size 350 -quiet

The error reads "Cannot find the path specified"

sysnative should redirect you to the proper system32 or syswow64 folder. But if you get the error it means you aren't getting the redirection.

I tried the following script and it fails on 32 or 64 workstations.

"%windir%\sysnative\bdeHdCfg.exe" -target default -size 350 -quiet

The error reads "Cannot find the path specified"

sysnative should redirect you to the proper system32 or syswow64 folder. But if you get the error it means you aren't getting the redirection.

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator 23 hours 24 minutes ago

I was able to get the script working by using the following. Apparently you don't need to open the program in a specific folder.

@echo off

bdeHdCfg.exe -target default -size 350 -quiet

REM Return exit code to SCCM
exit /B %EXIT_CODE%

• Marked as answer by SirCharles1018 17 hours 45 minutes ago
• Unmarked as answer by SirCharles1018 17 hours 45 minutes ago