locked
Question about Bitlocker and Re-Imaging. RRS feed

  • Question

  • We are not using Bitlocker through MDT, just running it manually during configuration.
    We've been told that any machine that's had Bitlocker on it MUST be decrypted before
    re-imaging.
    My question is: I can boot to MDT and at the image menu, cancel out of MDT. At the DOS
    screen, I do a diskpart and Select Disk 0 and enter Clean. Does this efficiently wipe the drive
    or am I actually required to either Killdisk the drive or run a Bitlocker decryption?
    If I can just use "Clean" at the diskpart prompt, I can save lots of time decrypting the
    drive or running Killdisk.
    Thanks!

    Tuesday, February 16, 2016 8:51 AM

Answers

  • I'm pretty sure a bare metal build task sequence runs diskpart /clean before it formats and lays down the image.
    • Proposed as answer by Keith GarnerMVP Tuesday, February 16, 2016 9:09 PM
    • Marked as answer by the1rickster Wednesday, February 17, 2016 4:17 AM
    Tuesday, February 16, 2016 5:59 PM
  • MDT "newcomputer" will perform a diskpart.exe clean, so any existing "encrypted" partitions will be lost and flattened for the new system.

    @the1Rickster - you may be getting instructions to decrypt the drive so you can migrate the user data, if not decrypted you loose the data.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    • Marked as answer by the1rickster Wednesday, February 17, 2016 4:16 AM
    Tuesday, February 16, 2016 9:12 PM

All replies

  • An encrypted disk is seen as RAW in winPE so you shouldn't have to diskpart clean. To directly answer your question: diskpart clean is perfectly valid to rebuilding a machine. 

    Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.

    Tuesday, February 16, 2016 1:15 PM
  • Ok I will give that a go myself. Our dept is instructed to either decrypt the drive from Bitlocker or Killdisk before reimaging. For some reason, they claim the devices run into issues if they just clone over an encrypted HDD.
    I've not seen any issue but some said they have.

    Is there a quicker way anyone knows how to diskpart-clean a device other than booting up to MDT, canceling the process and using diskpart at the CMD?
    Tuesday, February 16, 2016 3:08 PM
  • I'm pretty sure a bare metal build task sequence runs diskpart /clean before it formats and lays down the image.
    • Proposed as answer by Keith GarnerMVP Tuesday, February 16, 2016 9:09 PM
    • Marked as answer by the1rickster Wednesday, February 17, 2016 4:17 AM
    Tuesday, February 16, 2016 5:59 PM
  • MDT "newcomputer" will perform a diskpart.exe clean, so any existing "encrypted" partitions will be lost and flattened for the new system.

    @the1Rickster - you may be getting instructions to decrypt the drive so you can migrate the user data, if not decrypted you loose the data.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    • Marked as answer by the1rickster Wednesday, February 17, 2016 4:16 AM
    Tuesday, February 16, 2016 9:12 PM
  • I have one final question about this...from what I see online about MDT and Format/Partition disk, I see people adding a command line to run diskpart.exe and pointing to a file which does the rest... Select Disk 0, Clean. I can't find any link online that I can show as proof that MDT does in fact run diskpart.exe clean.
    Wednesday, February 17, 2016 5:16 AM
  • Keith knows.  Trust him. :)

    Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.

    Wednesday, February 17, 2016 6:52 AM