Hi guys, So I've tested this in my lab and on a single user's machine. I've created some logic in my TS to run a WMI that only runs if "select * from Win32_DiskPartition where Name = 'Disk 0, Partition #1' " is NOT True. This means that any disk with two partitions on the C:\ would skip this step.
If not present, then first run Disk Part to give a listing of the partitions, then run ZTIBDE, then run disk part again to list finishing partitions, then restart. This has worked flawlessly thus far. I'd recommend this as a much easier alternative to using BDEHDCFG, as it takes care of running defrag for you. It took quite a while though, about 20 minutes. On Thu, Apr 3, 2014 at 1:36 PM, <[email protected]> wrote: > I havent used it in that scenario. > > After you run the bdehdcfg command, you will need to reboot. If it fails > to create the partition, the rest of the encryption steps will fail. > > Good point on the partition size. > > Haven't thought about the refresh scenario’s yet. The bitlocker project > I am currently involved with, is replacing {insert terrible encryption > product here} so we are wiping the drive first. > > > > Sent from Windows Mail > > *From:* Stephen Owen <[email protected]> > *Sent:* Thursday, April 3, 2014 12:58 PM > *To:* [email protected] > > Thanks for the responses guys. Have any of you used ZTI_Bde.wsf? Its > included in the MDT Toolkit and seems to address this very situation. > > > On Thu, Apr 3, 2014 at 10:45 AM, <[email protected]>wrote: > >> unless you are deploying the recovery environment WinRE, you only need >> a 500mb BDE partition. you also should not assign a drive letter to it 😉 >> >> >> >> Sent from Windows Mail >> >> *From:* Mike Dzikowski <[email protected]> >> *Sent:* Thursday, April 3, 2014 10:39 AM >> *To:* [email protected] >> >> >> *http://support.microsoft.com/kb/933246*<http://support.microsoft.com/kb/933246> >> >> *Example scenario 1* >> The target system has a single partition. To prepare the computer for >> BitLocker, you want to split the operating system partition. You want the >> following conditions to be true: >> >> >> >> - The size of the new partition is 1500 MB. >> - The new partition uses X for the drive letter. >> - During the operation, confirmation dialog boxes do not appear. >> - The system restarts when the operation is completed. >> >> To use these settings, run the following command at a command prompt: >> >> >> BdeHdCfg.exe -target c: shrink -newdriveletter x: -size 1500 -quiet >> -restart >> >> Sounds like your scenario. >> >> >> ------------------------------ >> Date: Wed, 2 Apr 2014 16:05:36 -0400 >> Subject: [mssms] Need to deploy BitLocker to machines in the field >> without the needed partitions >> From: [email protected] >> To: [email protected] >> >> Hi Guys, >> >> >> >> We’ve got maybe 2~3k systems here at $Client.Name that were built >> without the partitions needed to support BitLocker, and now we need to >> encrypt them without refreshing them to correct the partitions. >> >> >> >> During my initial googles, I found this >> article<http://blogs.technet.com/b/configurationmgr/archive/2011/01/20/solution-the-enable-bitlocker-task-fails-to-run-during-a-configmgr-2007-task-sequence.aspx>which >> makes mention of the ZTIBde resource in the MDT Toolkit, for >> precisely this sort of situation. It seems this tool will use diskpart to >> shrink the last 300 MB of the drive, and then handle storing the necessary >> files for BitLocker there. Has anyone used this in the wild? I’m always >> cautious when adjusting partitions on existing drives with user data. >> >> >> >> I've got an existing 'Encrypt' TS that works fine for systems with the >> needed partitions. I'd like to be able to use the ZTIBde.wsf script to fix >> the partitions on the machines, then encrypt them. >> >> >> Are there any pitfalls I should know about? Any tips? >> >> >> Thanks, >> >> >> >> >> >> > > >
