How to Pre-Provision BitLocker on Windows 7
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
The Pre-provision BitLocker task sequence step in Microsoft System Center 2012 Configuration Manager allows you to enable BitLocker from the Windows Preinstallation Environment (Windows PE) prior to operating system deployment. Only the used drive space is encrypted, and therefore, encryption times are much faster. This is done with a randomly generated clear protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. The ability to pre-provision BitLocker was introduced with Windows 8 and Windows Server 2012. However, you can pre-provision BitLocker on a hard drive and install Windows 7 as long as you follow specific steps. After Windows 7 Setup completes, you must set a BitLocker key protector because the Windows 7 BitLocker control panel does not support BitLocker with a clear protector. You must add a key protector by using the Enable BitLocker step or by using the manage-bde.exe command-line tool.
Generally, you must do the following to successfully pre-provision BitLocker on a computer that will install Windows 7:
Restart the computer in Windows PE
Important
You must use a boot image with Windows PE 4 or later to pre-provision BitLocker. For more information about supported Windows PE versions in Configuration Manager, see Prerequisites For Deploying Operating Systems in Configuration Manager.
Partition and format the hard drive
Pre-provision BitLocker
Install Windows 7 with specific operating system and network settings
Add a key protector to BitLocker
In Configuration Manager, the recommended way to pre-provision BitLocker on a hard drive and install Windows 7 is to create a new task sequence and select Install an existing image package from the Create New Task Sequence page of the Create Task Sequence Wizard. The wizard creates the task sequence steps listed in following table.
Note
The task sequence might have additional steps depending on how you configured the settings in the wizard. For example, you might have the Capture Windows Settings step if you selected Captured Microsoft Windows settings on the State Migration page of the wizard.
Task sequence step |
Details |
|---|---|
Disable BitLocker |
This step disables BitLocker encryption, if it is currently enabled. For more information about this step, see the Disable BitLocker section in the Task Sequence Steps in Configuration Manager topic. |
Restart in Windows PE |
This step restarts the computer in Windows PE by running the boot image assigned to the task sequence. You must use a boot image with Windows PE 4 or later to pre-provision BitLocker. For more information about this step, see the Restart Computer section in the Task Sequence Steps in Configuration Manager topic. |
Partition Disk 0 - BIOS Partition Disk 0 - UEFI |
These steps format and partition the specified drive on the destination computer by using BIOS or UEFI. The task sequence uses UEFI when it detects that the destination computer is in UEFI mode. For more information about these steps, see the Format and Partition Disk section in the Task Sequence Steps in Configuration Manager topic. |
Pre-provision BitLocker |
This step enables BitLocker on a drive while in Windows PE. Only the used drive space is encrypted. Because you partitioned and formatted the hard drive in the previous step, there is no data, and encryption completes very quickly. For more information about this step, see Pre-provision BitLocker section in the Task Sequence Steps in Configuration Manager topic. |
Apply Operating System |
This step prepares the answer file that is used to install the operating system on the destination computer and sets the OSDTargetSystemDrive task sequence variable to the drive letter of the partition that contains the operating system files. The answer file and variable are used by the Setup Windows and ConfigMgr step to install the operating system. For more information about this step, see Apply Operating System Image section in the Task Sequence Steps in Configuration Manager topic. |
Apply Windows Settings |
This step adds Windows settings to the answer file. The answer file is used by the Setup Windows and ConfigMgr step to install the operating system. For more information about this step, see Apply Windows Settings Task Sequence Action Variables section in the Task Sequence Steps in Configuration Manager topic. |
Apply Network Settings |
This step adds Network settings to the answer file. The answer file is used by the Setup Windows and ConfigMgr step to install the operating system. For more information about this step, see Format and Partition Disk section in the Task Sequence Steps in Configuration Manager topic. |
Apply Device Drivers |
This step matches and installs drivers as part of the operating system deployment. For more information about this step, see Auto Apply Drivers Task Sequence Action Variables section in the Task Sequence Steps in Configuration Manager topic. |
Setup Windows and ConfigMgr |
This step performs the transition from Windows PE to the new operating system. This task sequence step is a required part of any operating system deployment. It installs the Configuration Manager client into the new operating system and prepares for the task sequence to continue execution in the new operating system.For more information about this step, see Setup Windows and ConfigMgr section in the Task Sequence Steps in Configuration Manager topic. |
Enable BitLocker |
This step enables BitLocker encryption on the hard drive and sets key protectors. Because the hard drive was pre-provisioned with BitLocker, this step completes very quickly. Windows 7 requires that you add a key protector. If you do not use this step, you can run the manage-bde.exe command-line tool to set a key protector. For more information about this step, see Enable BitLocker Task Sequence Action Variables section in the Task Sequence Steps in Configuration Manager topic. |