How does SmartDeploy work with BitLocker Drive Encryption?

Can BitLocker interfere with imaging?

BitLocker Drive Encryption is a data protection feature built into the Windows operating system which encrypts an endpoint's hard drive and protects its data from being accessed externally without a valid passcode or recovery key.

Many SmartDeploy reimaging options, configurable when you create a SmartDeploy Answer File, require the hard drive of the target device to be accessible to the SmartPE environment as a part of deployment.

These include:

  • User Data Migration
  • Selecting the "Use existing computer name" option on the Naming Convention page.

If BitLocker is enabled, then the hard drive will not be accessible, and these options cannot be used. If you intend to use these options in an answer file with USB, ISO, or WDS boot media, then you will need to manually disable or suspend BitLocker prior to reimaging.

BitLocker is automatically suspended for console-initiated deployments

If you are performing a console-initiated deployment from the Computer Management view of the SmartDeploy console, the SmartDeploy Client on any selected endpoint(s) will automatically detect the BitLocker status. If BitLocker is enabled on the endpoint(s), the SmartDeploy Client will automatically suspend BitLocker prior to the console-initiated deployment.

This will occur without any user interaction required - it is a fully automated capability of the SmartDeploy Client.

After reimaging, BitLocker will remain disabled on the endpoint(s) unless you re-enable it.

Can I enable BitLocker when reimaging is complete?

Before you enable BitLocker, you must make sure that a TPM chip is enabled in the system firmware on your target devices. Additionally, we recommend that you review Microsoft's documentation about configuring Group Policy to back up your recovery keys. Then, build and capture your Reference VM as typical.

Add the Tasks to Activate Windows to Your Answer File

  1. Switch to the Answer Files workspace of the SmartDeploy Console.
  2. Create or edit an existing answer file, and then click Advanced.
  3. Click the Tasks tab, and then click Add. 
  4. In the Phase dropdown, select First logon to desktop.
  5. In the Command line field, type:
    manage-bde.exe -on C: -RecoveryPassword -SkipHardwareTest
  6. Click OK to add the task, and then click OK to close the Advanced settings window. 
  7. Proceed through the Answer File Wizard, and save the answer file. 
  8. Re-create any boot media that you want to use with this answer file. 

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.