Reinstall with Bitlocker
Hi! I am about to implement the "Enable Bitlocker"-step in Task Sequence but i have some questions about reinstall a computer that has bitlocker! Do i have to disable bitlocker before i reinstall a computer or will it automatically be removed when i format the drive and then enabled again with a new key in AD? Thanks for the help
October 10th, 2012 6:21am
Disable BitLocker keeps the encryption in place but leaves the key protectors visible. Basically that means that when re-enable BitLocker it doesn't have to encrypt the whole HDD as it's already encrypted but the contents can be accessed as if it was not encrypted. More info can be found here: http://technet.microsoft.com/en-us/library/bb680745.aspx Because of the restrictions this action has (can only be run in full OS) it's of no use if you are starting your TS from PXE. Even if you start your TS from Windows, it's only of any use if you don't run the action Format and Partition Disk as that will completely get rid of your encryption and require you to fully encrypt the HDD again at the end. Instead, if running your TS from Windows and you want to keep the encryption you run the Disable BitLocker action, boot into WinPE and disable the Format and Partition Disk action. Your Apply Operating System will automatically wipe the contents of the system partition but leave the encryption in place and as such doesn't have to encrypt everything again. In short, if you're happy with how your partitions look at the moment and want to keep them that way and you are thinking of starting the TS from Windows, then Disable BitLocker will save you a lot of time. If you need to start your TS from PXE or need to modify the partition table then there's no benefit to disabling BitLocker as you need to get rid of the encryption anyway.
October 10th, 2012 6:50am
Thanks cogumel0!! Because i always PXE boot here i guess i will have to encrypt the disk every time i install a new computer. Another question: What if i store the Bitlocker Recovery Key in AD and reinstall the computer. Will the Key be reused or replaced with another key? Such a great and informative answer! Thanks again!!!
October 10th, 2012 7:14am
No, the key will not be reused if you format the drive and start over. Actually, there is a benefit to not wiping out a Bitlocker encrypted disk: time. It takes a long time encrypt a disk. With Bitlocker in Windows 7/WinPE 3.x, it encrypts the entire drive including free space which typically takes a long time. I can't say I have tested it, so I don't know if there are any issues with trying to reuse a Bitlocker protected drive, but I would think it should work fine.Jason | http://blog.configmgrftw.com
October 10th, 2012 9:18am
I tested Bitlocker with ConfigMgr 2012. I noticed, if im trying to reinstall a Bitlocker-encrypted PC through PXE-Boot, it fails at the step "Partition and Format". If you use the step twice, its works. You have to activate the "Continue on Error" option in the First "Partition and Format" Step. Harddrive will partitioned and formated at the second "Partition and Format" Step. I wonder what happens if i dont use "partition and format" in a TS for a PC that got already a OS through ConfigMgr?
November 14th, 2012 3:15am