|Microsoft Deployment Toolkit
Review Known Issues, Limitations, and Recommendations That Relate to BitLocker
The following is a list of known issues, limitations, and recommendations that relate to BitLocker:
· Windows Server 2012 or Windows Server 2008 R2 may crash if the operating system image used to perform the deployment does not have the optional BitLocker component. This situation can occur in the following scenarios:
· Performing the MDT Refresh Computer deployment scenario (in LTI, ZTI, or UDI), where BitLocker is enabled on the existing operating system. In this situation, BitLocker is suspended in the existing operating system by MDT, but without the optional component in the new operating system image, Windows is unable to boot from the disk on which BitLocker is suspended.
· Performing the MDT New Computer deployment scenario (in LTI, ZTI, or UDI) on a Trusted Platform Module–enabled server on which BitLocker has been enabled. In this situation, BitLocker will be enabled offline using BitLocker pre-provisioning, but without the BitLocker optional component in the new operating system image, the new operating system is unable to boot from the disk on which BitLocker has been pre-provisioned.
The workaround for any of these situations is to deploy a custom operating system image that includes the BitLocker component in the image.
· If you want to use an alphanumeric PIN for BitLocker during deployment, you must enable the Allow enhanced PINs for Startup group policy setting. TheAllow enhanced PINs for Startup group policy setting is located in Computer Configuration/Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives.
· In New Computer scenarios on computers running Windows Vista that have BitLocker disabled (a state in which the volume is still encrypted, but the key is stored in clear text to allow automatic startup), running Diskpart to clean the disk causes the computer to stop responding. To work around this issue, enable BitLocker again, or turn off BitLocker to decrypt the volume and ensure that decryption finishes. If the computer stops responding, restart deployment.
· If a BitLocker recovery prompt appears after restarting the target computer (because the BitLocker key required to unlock the volume could not be obtained), work around the problem by using one of the following approaches:
· Remove the media (such as the deployment DVD) while Windows PE is still running. Doing so prevents the operating system from seeing the DVD when it starts.
· Change the boot order of the computer so that the DVD drive follows the hard disk.
· Deploy the computer with no startup media; for example, use a Pre-Boot Execution Environment (PXE) deployment.