Solution: The Enable BitLocker task fails to run during a ConfigMgr 2007 Task Sequence

When running a Configuration Manager 2007 Task Sequence that has the "Enable BitLocker" task in it, the task fails to run and BitLocker is not enabled on the PC. Examining the SMSTS.log reveals the following error message:

Start executing the command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD TSManager
!--------------------------------------------------------------------------------------------! TSManager
Expand a string: FullOS TSManager
Executing command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD TSManager
==============================[ OSDBitLocker.exe ]============================== OSDBitLocker
Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD OSDBitLocker
Initialized COM OSDBitLocker
Command line for extension .exe is "%1" %* OSDBitLocker
Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD OSDBitLocker
Target volume not specified, using current OS volume OSDBitLocker
Current OS volume is 'C:' OSDBitLocker
FALSE, HRESULT=80004005 (e:\nts_sms_fre\sms\framework\tscore\encryptablevolume.cpp,364) OSDBitLocker
Unable to find instance of 'Win32_EncryptableVolume' where 'DriveLetter' = 'C:'. Ensure that BitLocker Drive Protection is available for this device. OSDBitLocker
m_pEncryptableVolume->Initialize( pszVolume ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,222) OSDBitLocker
pBitLocker->Initialize( argInfo.sTarget ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\main.cpp,637) OSDBitLocker
Process completed with exit code 2147500037 TSManager
!--------------------------------------------------------------------------------------------! TSManager
Failed to run the action: Enable BitLocker.
Unspecified error (Error: 80004005; Source: Windows) TSManager

Examining the PC reveals that the Trusted Platform Module (TPM) chip on the PC has been activated and initialized in the BIOS.

Cause

This error can happen if the drive where the Windows OS is being installed on has not been partitioned correctly for use with BitLocker. In order for a PC to be able to boot, the boot manager and boot files cannot be encrypted. For this reason, when BitLocker is being used, these files need to reside on a partition that is not encrypted by BitLocker, therefore two partitions need to be created. The first partition, which is usually 100MB - 300MB in size, is not encrypted, and is used as the boot partition that contains the boot manager and boot files. The second partition is encrypted, takes up the remaining disk space on the drive, and contains the Windows OS on it. The order of the partitions does not matter.

When manually installing Windows 7 or Windows Server 2008 R2 from the original installation source, such as DVD media, Windows Setup will automatically partition the drive into two partitions:

1. The first partition will be 100MB in size, is formatted NTFS, will be labeled "System Reserved", and a drive letter will NOT be assigned to it. Not assigning a drive letter to this partition effectively makes the partition hidden, although assigning a drive letter to it, either via Disk Management or DiskPart.exe, causes it to no longer be hidden. This partition will also be the boot partition and will contain the boot manager and boot files.

2. The second partition will take up the remaining disk space on the drive, will be formatted NTFS, will not contain any label, and will be assigned the drive letter C:. This partition is where the Windows OS is installed on to.

One of the reasons the manual installations of Windows 7 and Windows Server 2008 R2 from original installation source files automatically creates two partitions is in preparation for BitLocker use. Creating the two partitions during Windows installation makes enabling BitLocker much easier in the future.

Manual installations of Windows Vista and Windows Server 2008 from original installation source files did not automatically create the required partitions needed by BitLocker. This made enabling BitLocker in Windows Vista or Windows Server 2008 much harder once BitLocker was desired.

When deploying any version of Windows that supports BitLocker, including Windows 7 and Windows Server 2008 R2, via a ConfigMgr 2007 OSD Task Sequence, the Task Sequence will NOT automatically create the required partitions for BitLocker, whether deploying from an Operating System Install Package (original installation source files) or an Operating System Image. If the required partitions are not set up appropriately during the Task Sequence, when the "Enable BitLocker" task is attempted to be used, then the error will occur.

Resolution

To resolve the problem, the drive needs to be partitioned correctly to support BitLocker. This can be done in one of two ways:

1. Erase the existing single partition on the drive and repartition the drive with two partitions. After repartitioning, format the partitions NTFS. The drawback to this method is that all data on the drive is lost during the repartitioning and format of the drive. This is a problem if USMT with local capture or hardlinking is being used. This method can be accomplished in a ConfigMgr 2007 Task Sequence by using the "Format and Partition Disk" task.

2. Shrink the existing single partition on the drive, and then using the newly freed space, create a new second partition. The newly created partition will actually be the second partition on the drive and not the first. As mentioned, partition order is not relevant when using BitLocker. This method does not erase any of the data on the drive and is desirable when using USMT with local capture or hardlinking. The drawback to this method is that it may take longer to set up, and can be problematic if the drive is low on disk space or highly fragmented. This method can be accomplished in a ConfigMgr 2007 Task Sequence by using the ZTIBde.wsf script from MDT integration

Method 1 is recommended in the following scenarios:

• Refresh with no USMT
• Refresh with USMT and a State Migration Point (SMP)
• New Computer
• Bare Metal

Method 2 must be used in the following scenarios:

• Refresh with USMT and local capture
• Refresh with USMT and local capture with hardlinking

Method 2 can actually be used in ANY of the above scenarios and may be desirable in a Task Sequence that handles multiple scenarios. Method 1 CANNOT be used in any of the scenarios listed under Method 2 as doing so would erase the data captured locally by USMT.

To implement the scenarios, follow the below instructions:

Method 1

To use the "Format and Partition Disk" task in a ConfigMgr 2007 Task Sequence to automatically create the required BitLocker partition:

1. In the ConfigMgr 2007 Admin Console, under the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node, right click on the affected Task Sequence and choose "Edit".
2. In the left pane of the Task Sequence select the "Format and Partition Disk", "Partition Disk", or "Partition Disk 0" task.
3. Double click on the first item under "Volume" to bring up the "Partition Properties".
4. In the "Partition Properties" window:
   • Next to the "Partition name:" text box, enter in:
     System Reserved
     This name can actually be anything desired as long as it abides by Windows naming rules but it should describe the partition as the boot or BitLocker partition/drive.
   • Under "Partition options", make sure that "Partition type: " is set to 'Primary".
   • Under "Partition options", change the option from "Use a percentage of remaining free space" to "Use specific size". Change the value next to "Use specific size" from 1 MB to 300 MB.
   • Under "Partition options", make sure that the option "Make this the boot partition" is selected.
   • Under "Formatting options”, make sure the "File system:" drop down menu is set to "NTFS".
   • Under "Formatting options”, make sure the "Quick Format" option is selected.
   • Under "Advance options" in the field "Variable: " text box, enter in:
     BOOTPART
     
   • Click on the "OK" button.
5. Click on the yellow starburst icon to create a second partition.
6. In the "Partition Properties" window:
   • Next to the "Partition name:" text box, enter in:
     OS
     This name can actually be anything desired as long as it abides by Windows naming rules but it should describe the partition as the Windows OS partition/drive.
   • Under "Partition options", make sure that "Partition type: " is set to 'Primary".
   • Under "Partition options", make sure the option is set to "Use a percentage of remaining free space". Make sure the value is set to 100.
   • Under "Partition options", the option "Make this the boot partition" should be grayed out and not selected.
   • Under "Formatting options”, make sure the "File system:" drop down menu is set to "NTFS".
   • Under "Formatting options”, make sure the "Quick Format" option is selected.
   • Under "Advance options" in the field "Variable: " text box, enter in:
     OSPART
     
   • Click on the "OK" button.
7. Click on the "Apply Operating System" or "Apply Operating System Image" task to select it.
8. In the "Apply Operating System" or "Apply Operating System Image" task:
   • Under the “Select the location where you want to apply this operating system.” option, in the "Destination:" drop-down menu, select "Logical drive letter stored in a variable".
   • Under the "Select the location where you want to apply this operating system." option, in the "Variable name:" field, enter in:
     OSPART
     
9. Click on the "OK" or "Apply" button to save the changes to the Task Sequence.

Notes on Method 1:

1. If the "Format and Partition Disk" task does not exist in the Task Sequence, it needs to be inserted as the first task into the Task Sequence, or if the "Restart in Windows PE" task exists in the Task Sequence, between the "Restart in Windows PE" and the "Apply Operating System" task. The "Format and Partition Disk" task can be added by clicking in the appropriate place in the Task Sequence to add the task, and then selecting "Add" --> "Disks" --> "Format and Partition Disk". Once the task is created, click on the yellow starburst button next to "Volumes: " to create the first partition and then continue on to Step 4.
2. In Step 4, the partition size is purposely set to 300MB and not 100MB. In manual installations of Windows 7 and Windows Server 2008 R2 from original installation source files, the partition is set to 100MB. However, it is beneficial to make this partition larger in scenarios where either WinRE (Windows Recovery Environment) or WinPE (Windows Preinstallation Environment) need to be installed onto this partition. A 100MB partition is too small for either WinRE or WinPE to be installed onto. Increasing the size of this partition should allow either WinRE or WinPE to be staged onto this partition. WinRE and WinPE are staged onto this partition in the following scenarios:
   • When enabling BitLocker, BitLocker will move WinRE from the directory %SystemDrive%\Recovery on the larger encrypted partition to a directory on the smaller unencrypted partition. If this was not done, WinRE would not be able to be accessed in scenarios where problems arose on the PC. WinRE is used by Windows to help diagnose and correct problems in Windows installations when Windows cannot boot.
   • In future Refresh or reimaging scenarios, WinPE may need to be staged onto the local drive of the PC for a ConfigMgr 2007 Task Sequence to proceed successfully. WinPE needs to be staged on a unencrypted volume for it to successfully boot.
3. In Step 8, the Windows OS is applied to the larger partition based on a drive letter stored in a variable. The variable was set earlier during the "Format and Partition Disk" task. The option "Next available formatted partition" cannot be used as this would attempt to install Windows onto the first smaller partition instead of the second larger partition. This would ultimately fail because the first smaller partition does not have enough room to install Windows on to. The error "There is not enough space on the disk. (Error: 80070070; Source: Windows)" would be displayed in the SMSTS.log when this failure occurs.
4. The "Setup Windows and ConfigMgr" task will take care of setting up the appropriate boot manager and boot files on the partition that has been marked as bootable. When Method 1 is used, the boot manager and boot files are installed on the 300MB boot partition by the "Setup Windows and ConfigMgr" task. No additional action needs to take place to properly install the boot manager or boot files.

Method 2

To use the ZTIBde.wsf script in a ConfigMgr 2007 Task Sequence to automatically create the required BitLocker partition:

1. Make sure that the latest version of MDT has been installed on the site server and integrated into ConfigMgr 2007. Additionally make sure that the MDT Toolkit Files Package has been created in ConfigMgr 2007 and that is has been placed on Distribution Points that will be available to PCs during the Task Sequence.
2. In the ConfigMgr 2007 Admin Console, under the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node, right click on the affected Task Sequence and choose "Edit".
3. Click on the task immediately BEFORE the task "Enable BitLocker" task.
4. If the "Use Toolkit Package" and "Gather" tasks are already in the Task Sequence between the "Setup Windows and ConfigMgr" and "Enable BitLocker" tasks, then skip to Step 9. If they exist elsewhere in the Task Sequence and not specifically between the "Setup Windows and ConfigMgr" and "Enable BitLocker" tasks, then Steps 5-8 must be followed.
5. Click on "Add" --> "MDT" --> "Use Toolkit Package". This should add a "Use Toolkit Package" task immediately before the "Enable BitLocker" task.
6. In the "Use Toolkit Package" task, next to "Toolkit package:", click on the "Browse..."button and select the MDT Toolkit Files Package from Step 1.
7. Make sure that the "Use Toolkit Package" task is selected, and then go to "Add" --> "MDT" --> "Gather". This should add a "Gather" task immediately after the "Use Toolkit Package" task and before the "Enable BitLocker" task.
8. In the "Gather" task, click on the option "Gather only local data (do no process rules)".
9. Click on the task immediately BEFORE the "Enable BitLocker" task. If Steps 5-8 were followed, this should be the "Gather" task.
10. Click on "Add" --> "General" --> "Run Command Line". This should add a "Run Command Line" task immediately before the "Enable BitLocker" task.
11. In the newly created "Run Command Line" task:
    • In the "Name:" text box, enter:
      Partition Drive For BitLocker
      
    • In the "Command line:" text box, enter:
      cscript.exe "%DeployRoot%\Scripts\ZTIBde.wsf" /debug:TRUE
      

12. Click on the "OK" or "Apply" button to save the Task Sequence.

The ZTIBde.wsf script leaves the newly created 300MB partition visible and assigned with the drive letter S:. If the partition is desired to be hidden, the drive letter needs to unassigned from the partition. To unassigned the drive letter and "hide" the partition via the ConfigMgr 2007 Task Sequence:

1. In the ConfigMgr 2007 Admin Console, navigate to the "Computer Management" --> "Software Distribution" --> "Packages" node.
2. Under the "Packages" node, locate the the MDT Toolkit Files Package.
3. Right click on the MDT Toolkit Files Package and choose "Properties".
4. Click on the "Data Source" tab. Under "Source directory" determine the location of the MDT Toolkit Files Package source files.
5. Click on the "OK" button to close the MDT Toolkit Files Package properties window.
6. Open Notepad.exe and paste the following lines of text into Notepad:
   select volume s:
   remove letter=s
7. Save the file with the name
   hide-partition-s.txt
   in the "Scripts" folder of the MDT Toolkit Files Package source files as determined in Step 4.
8. Update the Distribution Points that the MDT Toolkit Files Package are on.
9. In the ConfigMgr 2007 Admin Console, under the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node, right click on the Task Sequence using the ZTIBde.wsf script and choose "Edit".
10. Click on the "Enable BitLocker" task to select it.
11. Click on "Add" --> "General" --> "Run Command Line". This should add a "Run Command Line" task immediately after the "Enable BitLocker" task.
12. In the newly created "Run Command Line" task:
    • In the "Name:" text box, enter:
      Hide S: Drive
      
    • In the "Command line:" text box, enter:
      diskpart.exe /s "%DeployRoot%\Scripts\hide-partition-s.txt"
      

13. Click on the "OK" or "Apply" button to save the Task Sequence.

Notes on Method 2:

1. The ZTIBde.wsf script from MDT integration creates the partition without formatting or erasing any data currently on the drive. It does this by using DiskPart.exe to shrink the existing single partition by 300MB, and then using the newly freed up 300MB of space, it creates a new 300MB partition. Unlike in Method 1, the new partition will be the second partition on the drive, not the first. This should not cause any issues.
2. The ZTIBde.wsf script along with the "Enable BitLocker" task takes care of removing the bootable option from the original partition and marking the newly created partition as the new bootable partition. The tasks also takes care of moving the boot manager and boot files from the original partition to the new partition.
3. The ZTIBde.wsf script has the added benefit that it will detect if the required BitLocker partition has already been created. If it has it will not take any further action. This is useful in Refresh scenarios where the BitLocker partition already existed from a previous deployment and does not need to be created again.
4. There is a known problem in the ZTIBde.wsf script of MDT 2010 that prevents it from working properly in x64 OSes. This problem does not exist in the ZTIBde.wsf script in MDT 2008, MDT 2008 Update 1, and has been fixed in MDT 2010 Update 1.  For detailed information, see KB2254610, "ConfigMgr 2007: The ZTIBde.wsf script from MDT 2010 does not work in x64 Windows OSes"
5. After the "Enable BitLocker" step has run and BitLocker has been enabled, the status of the encryption process can be checked by running the following command at an elevated command prompt after the Task Sequence has completed:

   Manage-bde –status <Drive_Letter>

   where <Drive_Letter> is the drive letter of the disk where BitLocker was enabled (without the brackets <>). For example, to check the encryption method and cipher strength on the C: drive, run the command:

   Manage-bde –status c:

Hope this helps,

Frank Rojas | System Center Support Escalation Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode