I havent used it in that scenario.
After you run the bdehdcfg command, you will need to reboot. If it fails to
create the partition, the rest of the encryption steps will fail.
Good point on the partition size.
Haven't thought about the refresh scenario’s yet. The bitlocker project I am
currently involved with, is replacing {insert terrible encryption product here}
so we are wiping the drive first.
Sent from Windows Mail
From: Stephen Owen<mailto:[email protected]>
Sent: Thursday, April 3, 2014 12:58 PM
To: [email protected]<mailto:[email protected]>
Thanks for the responses guys. Have any of you used ZTI_Bde.wsf? Its included
in the MDT Toolkit and seems to address this very situation.
On Thu, Apr 3, 2014 at 10:45 AM,
<[email protected]<mailto:[email protected]>>
wrote:
unless you are deploying the recovery environment WinRE, you only need a 500mb
BDE partition. you also should not assign a drive letter to it 😉
Sent from Windows Mail
From: Mike Dzikowski<mailto:[email protected]>
Sent: Thursday, April 3, 2014 10:39 AM
To: [email protected]<mailto:[email protected]>
http://support.microsoft.com/kb/933246
Example scenario 1
The target system has a single partition. To prepare the computer for
BitLocker, you want to split the operating system partition. You want the
following conditions to be true:
* The size of the new partition is 1500 MB.
* The new partition uses X for the drive letter.
* During the operation, confirmation dialog boxes do not appear.
* The system restarts when the operation is completed.
To use these settings, run the following command at a command prompt:
BdeHdCfg.exe -target c: shrink -newdriveletter x: -size 1500 -quiet -restart
Sounds like your scenario.
________________________________
Date: Wed, 2 Apr 2014 16:05:36 -0400
Subject: [mssms] Need to deploy BitLocker to machines in the field without the
needed partitions
From: [email protected]<mailto:[email protected]>
To: [email protected]<mailto:[email protected]>
Hi Guys,
We’ve got maybe 2~3k systems here at $Client.Name that were built without the
partitions needed to support BitLocker, and now we need to encrypt them without
refreshing them to correct the partitions.
During my initial googles, I found this
article<http://blogs.technet.com/b/configurationmgr/archive/2011/01/20/solution-the-enable-bitlocker-task-fails-to-run-during-a-configmgr-2007-task-sequence.aspx>
which makes mention of the ZTIBde resource in the MDT Toolkit, for precisely
this sort of situation. It seems this tool will use diskpart to shrink the
last 300 MB of the drive, and then handle storing the necessary files for
BitLocker there. Has anyone used this in the wild? I’m always cautious when
adjusting partitions on existing drives with user data.
I've got an existing 'Encrypt' TS that works fine for systems with the needed
partitions. I'd like to be able to use the ZTIBde.wsf script to fix the
partitions on the machines, then encrypt them.
Are there any pitfalls I should know about? Any tips?
Thanks,
