Enabling BitLocker with Configuration Manager (SCCM) Operating System Deployment (OSD)
Alright, so you wanna work with BitLocker when you’re deploying your operating system using SCCM. You just need to note a couple of things.
- BitLocker requires at least 2 disk partitions. One un-encrypted and one or more encrypted partition.
- The un-encrypted partition has be a recommended size of at least 1500 MB.
If you already have an existing task sequence to deploy your operating system image (which I assume you do), you only have to edit a couple of things. First is the Format and Partition Disk task. In my case it is called Partition Disk 0 which is the default if you created it using the task sequence wizard. You can choose to remove all volumes and recreate them or edit the existing ones. Either way you should have this configurations.
- Partition name:Can be anything up to your liking. In my case I just named it BDE.
- Partition options: Use specific size, at least 1500MB or more. I used 1536MB coz that’s just how I like it.
- Make this the boot partition: Checked.
- Formatting options: File system = NTFS. Quick format = checked (coz it’s faster)
- Variable: BDEPART or whatever variable name you want.
- Partition name: Can be anything up to your liking. In my case I just named it OS.
- Partition options:Use a percentage of remaining free space; size(%) = 100. Again you can change this depending on how many partitions you want to end up with.
- Make this the boot partition:Greyed out.
- Formatting options:File system = NTFS. Quick format = checked (coz it’s faster)
- Variable: OSPART or whatever variable name you want. It is important to remember this because you are going to reference it later.
And this is exactly where you are going to reference the variable name that you entered just before this. You need to change the destination location of where the operating system image will be applied to.
- Destination:Logical drive letter stored in a variable.
- Variable name: OSPART <— or whatever variable name that you entered for the operating system partition.
I know many of you know there is an Enable BitLocker task sequence but do not know where it should be placed. Well, logically it should be place after the operating system image has been applied and setup. In my case, I placed it right after the Setup windows and ConfigMgr task which is after my SCCM agent has been installed. There are other options that you can choose from like which drive to encrypt, what key management you want to use and where would you want the recovery key created. I’ll leave that up to you. Good luck tryin! 🙂
Just to add on based on a query I received, it should be clarified that the System drive size requirement of 1.5 gigabytes (GB) above is for the Vista operating system. In Windows 7 this requirement has been reduced to 100 MB for a default installation.