So as Windows 7 accelerates to being released to manufacture and we start to get involved in engagements to deploy it I thought I might take a quick look at some changes to BitLocker and how they might help or hinder deployments.
One thing that customers regularly need to do on machines is update the BIOS. Each vendor has their own tools to do this – some have better automation support than others. However they all have one thing in common – if BitLocker is enabled it will detect the BIOS change and prompt the user for their recovery password at restart.
In Windows 7 we now have the ability to suspend BitLocker and then re-enable it. This enables the BIOS to be updated without having to first decrypt the drive or have the user input their password post upgrade.
We can use the BDE command line tool to mange this
Manage-bde.exe –protectors –disable c:
Manage-bde.exe –protectors –enable c:
The –pause option is to suspend encryption of a drive being encrypted.
Remember that while deploying a system it is best to place the BitLocker enablement command at the end of the task sequence – this is now the default in MDT 2010. Placing the enable command at the start will significantly increase the deployment time.
This post was contributed by Richard Trusson, a Senior Consultant with Microsoft Consulting Services – U.K.