Mass deployment of BitLocker in Windows Embedded Standard 2011 and The "Gotcha"

BitLocker in Windows Embedded Standard 2011” feature requires two partitions. “First partition is a system partition contains BCD (Boot Configuration Data) store & remains unencrypted. Second partition contains Windows, programs, etc and can be encrypted. IBW does a good job in ensuring that the user is required to partition with separate system partition if the […]

BitLocker in Windows Embedded Standard 2011” feature requires two partitions. “First partition is a system partition contains BCD (Boot Configuration Data) store & remains unencrypted. Second partition contains Windows, programs, etc and can be encrypted. IBW does a good job in ensuring that the user is required to partition with separate system partition if the user has added BitLocker feature. It’s able to do that because it has an awareness of whether the feature is added by the user. What’s the “Gotcha” you may ask? Well, during Mass Deployment scenarios, such as using WDS or IBW to deploy a custom WIM, disk partitioning dialog has no awareness of whether BitLocker feature is in the image. That means that it’s possible under these circumstances to create a system with BitLocker feature and only have one partition. This isn’t a supported setup for BitLocker and the feature willn’t enable or allow Windows partition to become encrypted. So please, if you’re going to be mass-deploying an image with BitLocker feature, ensure that the Unattend file (or the technician if it’s a manual process) creates a system partition,” noted Microsoft.

[Source]