Capturing an image with Bitlocker turned on? RRS feed

  • Question

  • I am creating a new windows 10  image with MDT 2013.   We have been told we have to have bit locker turned on for all laptops. Is it possible to image a laptop with it already turned on? Or do I have to turn it on after the image is deployed?

    Thank you.

    • Edited by FreeRiderHD Wednesday, November 8, 2017 2:12 PM
    Wednesday, November 8, 2017 2:05 PM

All replies

  • No, that doesn't make sense. BitLocker is something enabled on a specific instance of Windows and protected to that specific instance using hardware on the system hosting that instance. It's not something the WIM image format can even capture (because a WIM image is a file based image format). Even if you were to use a bit-based image format (which I highly recommend against) you would be capturing an encrypted blob protected by a key stored on another system. Finally, I don't think sysprep will even run on a BitLocker protected system and yes, syspreping a reference system to create a reference image is required for any imaging.

    Enabling BitLocker during OS deployment using the OSD feature set in ConfigMgr (this is a ConfigMgr forum) or MDT is pretty straight-forward though. I would highly encourage you to deploy MBAM first though to provide BitLocker and BitLocker key management.

    Jason | https://home.configmgrftw.com | @jasonsandys

    • Proposed as answer by Lorry Luo Tuesday, December 12, 2017 2:15 AM
    Wednesday, November 8, 2017 2:46 PM
  • Hi,

    Do you have at least two partitions or more?

    Use the Enable BitLocker task sequence step to enable BitLocker encryption on at least two partitions on the hard drive. The first active partition contains the Windows bootstrap code. Another partition contains the operating system. The bootstrap partition must remain unencrypted.

    Source: https://technet.microsoft.com/en-us/library/hh846237.aspx#BKMK_DisableBitLocker

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 9, 2017 3:23 AM
  • You should be using a VM to capture your image, not a physical machine. There are many reasons why it is better to use VM's (hardware agnostic, ability to take snapshots and revert easily, ability to image from anywhere, etc.) but to answer your question, no, you can't capture an encrypted disk...


    Thursday, November 9, 2017 3:59 AM