SCCM and MDT OSD with BitLocker OH MY!
By Steve Bowman
Published November 7, 2017
Estimated Reading Time: 2 minutes

[vc_row][vc_column][vc_column_text]While working with a client on an in-place upgrade from Windows 7 to Windows 10 utilizing an SCCM task sequence integrated with MDT, I ran into some unexpected issues. First let’s look at the Disable BitLocker step in the SCCM MDT task sequence.


“Enable BitLocker” step is nothing more than an execution of a ZTIBde.wsf script file (executed from the MDT Scripts Package). The script basically provides a full set of steps (like OS versions, Physical disks, etc.) to validate if the target computer is available for BitLocker encryption. After performing all validations process, task sequence will start the encryption task using the Windows native tool named “manage-bde.exe” located in the %system32% folder.


Now this is where the fun started. The client wanted the TS to convert from Legacy to UEFI BIOS and from MBR to GPT disk format.  I decided to utilize MBR2GPT.EXE for this task. MBR2GPT.exe converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the /allowFullOS option.


After reading MS documents you will need to disable BitLocker before running MBT2GPT.exe.  I utilized the default SCCM MDT Disable BitLocker step and added the steps for converting the disks, added the steps to Enable BitLocker. The disable BitLocker completes successfully, upgraded the OS to Windows 10, change the BIOS to UEFI rebooted in Windows PE and ran the MBR2GPT step.  The MBR2GPT step failed to convert the disk.  Looking through the SMSTS.log I found MBR2GPT.exe failed to convert disk with protectors enabled.


I dug deeper and realized using the default Disable BitLocker step only disables BitLocker for one reboot.  I needed a way to disable BitLocker for more than one reboot.  Looking at the MS Documents for Manage-BDE.exe for Windows 7.  I can run “Manage-bde.exe –protectors –disable c:” which should suspend protection indefinitely.  I added a Run Command line to my TS and added Manage-bde.exe –protectors –disable c:” That worked. I replaced the default Disable BitLocker steps with the Run Command line.  The TS failed again with the same MBR2GPT error.  I soon realized the version of Manage-BDE and the syntax for suspend protection indefinitely changed from Windows 7 to Windows10.


The syntax for suspend protection indefinitely Windows 7 is Manage-bde.exe –protectors –disable c:”


The syntax for suspend protection indefinitely for Window 10 is Manage-bde.exe –protectors –disable c: -rc 0 ” if you don’t add the -RC  the protectors will be enabled after a reboot. 


The point of this blog is when doing an in-place upgrade you will need to validate the syntax that worked in Windows 7 will work in Windows 10.[/vc_column_text][/vc_column][/vc_row]

Post Tags:
Article By Steve Bowman
Steve Bowman is a Partner at Model Technology as well as their Vice President of Sales and Marketing. Steve is a father, husband, Franciscan, and lover of technology. He's bilingual in business and technology and have over 30 years of experience in selling enterprise technology solutions in a variety of industries.

Related Posts