OSD Bitlocker partition, unable to remove drive letter.


With ConfigMgr 2007/2012 I used the bdehdcfg tool to partition the drive after the OS installation was done. This creates the bitlocker partition at the end of the drive, marked as system and boot, without a drive letter.

With ConfigMgr 2012 R2 there is a new option "pre-provision BitLocker" before windows is installed and "Enable BitLocker" at the end. This benefit of this option is basically zero encryption time, compared to the old method I was using which would take about an hour on a good sized SSD.

This new method creates a 350mb system reserved partition at the start of the drive, marks as system and boot AND assigns a drive letter. In the task sequence the "Partition Disk 0 - BIOS" task is set to "do not assign a drive letter to this partition". It seems that checking/unchecking this box does not have any effect whatsoever.

I've tried with various scripts to remove this default partition but unfortunately no success. The scripts work when run from an administrative command prompt on the desktop, however when running during a task sequence I get an access denied error (4005)

Does anyone have a suggestion on how to remove the drive letter from this default partition and/or how to get the task sequence to actually abide to the checkbox at the partition stage?


January 15th, 2014 1:47pm


What is the driver letter it is assigned as? D:\?

I have ever seen someone that also encountered the same issue. We need the debugging mode of SMSTS.log for furthur inverstigation.

Otherwise, here is a workaround you may try. Create a Run Command Line task at the end of TS=>run Diskpart command to remove the drive letter. Note: Run the command under administrative context.

Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2014 2:33pm

Hi Juke,

That is more or less the workaround I was using. We have laptops with a DVD drive, laptops with 2 disks, so the drive letter isn't necessarily D:, it can be E: or F:.

I used a powershell script to get the correct driveletter, create a diskpart script and execute that. It's a tad bit sloppy, but it works and users never get to see it anyway.

Powershell part:

$Drive = Get-WMIObject Win32_Volume -filter "Label = 'System Reserved'"
$DriveLetter = $Drive.DriveLetter
Add-Content $env:temp\diskpartscript.txt "select vol $Driveletter"
Add-Content $env:temp\diskpartscript.txt "remove letter=$driveletter"

Command line part:
POWERSHELL .\Remove-BDEDriveLetter.ps1
DISKPART /s %TEMP%\diskpartscript.txt

I'll take a look at the debugging log and see if that gets me anywhere!


January 23rd, 2014 6:53am

Tomorrow i am going to try this VBS script since i have the same issues:

strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery(Select * from Win32_Volume where Label = 'System Reserved') For Each objItem in colItems if isNull(objItem.DriveLetter) = False Then
objItem.DriveLetter = NULL objItem.Put_
End If Next

will let know it is is working.
Free Windows Admin Tool Kit Click here and download it now
April 16th, 2015 4:55pm

It was a timing issue. After implementing 2 vbs scripts in my task sequence which verify if the previous action (preprovisioning / enable bitlocker) were finished, and then continue.

This did it and it is working now.

  • Proposed as answer by pollewops 17 hours 45 minutes ago
May 19th, 2015 10:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics