BitLocker Drive Encryption Detected Bootable Media RRS feed

  • Question

  • Can someone explain to me why I have to remove bootable media to enable BitLocker? 

    What on gods green earth does that do to secure anything? I can simply put back that bootable media after the encryption is done. 

    What it does do is totally stop my otherwise fully automated SCCM Task Sequence for imaging new PCs.

    Sure I can script a eject I suppose but the real point of this post is to understand the actual value and purpose of removing the media (which I believe there is none).

    Thursday, March 9, 2017 12:16 PM

All replies

  • We don't know what your task sequence does. I guess, saying "among other things, encrypt the hard drive" would not be enough, but I don't use task sequences myself.

    I can only imagine that your task sequence tries to encrypt all drives and tries not to encrypt removable drives as well since those might be used on other machines with no bitlocker-reading ability.

    Otherwise, there is no reason whatsoever not to have other drives connected while the hard drive is being encrypted.

    Thursday, March 9, 2017 2:14 PM
  • The task sequence is just a regular OS deployment which has the steps for pre-provision bitlocker and enable bitlocker. The reason there is bootable media in the drive is that is what we use to run the task sequence. By the time it asks it can be removed but it takes manual user intervention which stops us from saying, start the imaging, go have lunch, come back and done.

    But again, my main interest in this thread is simply "why does Microsoft / BitLocker care about bootable CD and/or USB media related to the enablement of BitLocker??" I really want to know what the developers were thinking as in my plane of existence its a really stupid thing to do. However on their plane of reality perhaps there is a really good reason I should be made aware of. 

    Thursday, March 9, 2017 5:10 PM