BitLocker in SCCM with 2nd HDD – NEW and REFRESH Scenarios

There are a couple of challenges when using BitLocker in ConfigMgr 2012. Using Pre-Provisioning and locking a 2nd HDD in REFRESH Scenarios is one such challenge.

Here is how i handle it.

Scenario 1: NEW – Single Disk

Background and overview: New PC or Laptop, single hard drive.

1. Create a PreInstall partition on the disk if there is no available partitions

2. Configure BIOS and TPM (see previous post)

3. Format and Partition Disk0 for use with BitLocker. Create a BDE partition with fixed size 500Mb, NTFS and store the drive letter as a variable BOOTPART. Create a System partition of 100% remaining space, NTFS, store drive letter as OSPART.

4. Pre-Provision BitLocker to “Logical drive letter stored in a a variable” – OSPART

5. At the end of the Task Sequence Enable BitLocker on “Current operating system drive”. Choose to wait for BitLocker to complete before continuing.

Scenario 2: REFRESH – Single Disk

Background and overview: Refresh PC or Laptop, single hard drive.

1. When started from Software Center, disable BitLocker on current operating system drive and reboot to WinPE.

2. If started from USB or PXE, use a script to unlock the operating system drive.

3. continue from step 2, Scenario 1.

Scenario 3: NEW – Additional Disk

Background and overview: New PC or Laptop, multiple hard drives.

1. Out of the box means started from USB or PXE, use a script to unlock OS and data drives.

2. continue from step 2, Scenario 1.

3. When finalizing BitLocker on the OS disk choose to continue on error. This because the attributes will be inconsistent after C, D and E drive letters are reassigned but the BitLocker process will finalize ok.

4. Enable BitLocker on the additional drive, choose either to wait for BitLocker to finish or continue and allow the drive to encrypt in the background. The machine will be usable but the 2nd disk will have limited availability until the process is finished which could be 20 – 50 minutes.

Scenario 4: REFRESH – Additional Disk

Background and overview: Refresh PC or Laptop, multiple hard drives.

1. When started from Software Center, disable BitLocker on current operating system drive and data drives and reboot to WinPE.

2. If started from USB or PXE, use a script to unlock the operating system drive and data drives.

3. continue from step 2, Scenario 1.

3. continue from step 2, Scenario 3.

Here are some screenshots of the TS:



SCCM Add Computer Associations With Powershell – Code

Below is the source code for this tool. I would like to compile it a bit better so it is more dynamic: it uses an ini file called acatsv4t.ini which should really be in a proper ini format with tags to allow config of the available options, for example available language and OS. Once I have the ini config sorted i’ll compile as an exe, with an install/self-extract routine.

Code is provided as is. No official support provided and i accept no responsibility for misuse. Other than that, hope it comes in handy.


MDT 2010 Update 1 Quick Start

My latest customer does not have requirements at the moment for SCCM, or funds or resources because it is a school with a tight IT budget.

So to roll-out new operating system images i’ve established a server and installed MDT 2010 Update 1.

Here is a quick start guide for MDT with a SQL database.

1. Build servers, or domain infrastructure. I am using a SQL Server 2008 R2 server for the MDT database.

2. Build a server operating system for MDT

3. Install WDS

3.1 Configure WDS – Plenty of resources on the internet about how to do this, i am concentrating here on the final steps of MDT setup, but don’t worry too much about images at this stage as we will replace them later; install the default boot image and configure the PXE response and Boot settings. Configure DHCP according to your environment.

4. Install WAIK It is a huge download

5. Install MDT

6. Configure MDT

6.1 Create Deployment Share

6.2 Add Operating System Image(s) – from source DVD or pre-captured WIM image

6.3 Create New Database in Advanced Configuration

6.3.1 Give the SQL server name, instance and database name

6.3.2 Define the SQL DeploymentShare, this allows the LiteTouch account to authenticate against the SQL Server. When you define this path, make sure the path exists on the SQL Server, this is important.

6.3.3 You can configure the database rules at this stage, it modifies the INI file on the MDT server rather than the database itself.

6.3.4 Configure the bootstrap.ini to include account credentials for connecting to the database.

6.4 Create Simple Task Sequence

That’s it, not a lot of detail i know but i will post next time with pictures and all that kind of stuff. The most important things to remember are 6.3.2 and 6.3.4 – without these settings configured you will get ZTI errors trying to authenticate to SQL in the OSD log.

Now go ahead and add a computer account to the database, and you open up much more flexibillity in MDT, allowing you to deploy to numerous machines with customisable settings.

SCCM Add Computer Associations With Powershell

I can’t wait to get ConfigMgr 2012 up and running. Beta 2 is going into my lab as i type…

Until then…. Yes, ConfigMgr 2007 is fantastic, i love it. But i deploy it at customer sites and as a rule the technicals who are to run and operate it once i have gone have not taken any form of SCCM training. With 2007’s MMC Console it can be a bit daunting for them, so much information, and the access security is not what it should be. So until the launch of 2012 with it’s lovely interfaces and user-friendly-centric operations how can i enable my customers to carry out day-to-day tasks in SCCM?

First of all identify the key stakeholders: Who wants SCCM? Who needs SCCM? Why do they want it? What role in the business do they expect it perform?

FD: Paying for this new technology, wants return on investment.

IT Manager or similar: Probably wants deployment processes streamlined for their staff, to enable them to work more efficiently. Wants to know what IT equipment and licensing they have. Doesn’t care about the technical side.

IT Technician: More interested in the technical aspects. May want to get under the hood, but without training not advisable. Has (hopefully) documented the deployment and operational processes they want to streamline. Knows the applications, the estate, the environment.

For FDs and IT Management, the built-in Reports may well be enough to get information on the estate and inventory, with R2’s Reporting Services Point enhancing this functionality.

For Technicians, those who will be running and maintaining the SCCM environment and carrying out the deployment and administrative tasks with SCCM the MMC console can be a maze of nodes and components.

I identified a need for a customer to carry out basic tasks, such as Import Computer Information. They wanted to quickly add in new hardware to receive OSD Task Sequence Advertisements via PXE. I created a simple tool in Powershell which they could run from their desktop and easily add a new laptop or computer for OS deployment.

First of all, and i won’t go into too much detail here, i set up an OSD Task Sequence, a Collection and advertised the TS. 

In normal circumstances, the technician would open the SCCM console, find the collection with the TS advert and drill-down through the OSD Node, to import the computer using the wizard.

All these steps are possible with WMI.

 The basic powershell to add a computer account to SCCM:

#create Computer Account in SCCM





$inParamsAddEntry.MACAddress =$mACAddress.Text

$inParamsAddEntry.OverwriteExistingRecord =$false

$inParamsAddEntry.NetbiosName =$serverName.Text

$objComputer=$siteClass.psbase.InvokeMethod($methodAddEntry, $inParamsAddEntry, $null)

Next add the direct collection membership rule, this always applies to the collection and not the computer:



$objCollectionRuleDirect.psbase.Properties[“ResourceClassName”].Value = “SMS_R_System”

$objCollectionRuleDirect.psbase.Properties[“ResourceID”].value = $objComputer.ResourceID


And add the computer to the collection using this rule:

$targetCollection=Get-WmiObject -ComputerName “$siteProviderName” -Namespace “root\sms\site_$siteCode” -Class “SMS_Collection” | where{$_.Name -eq $determinedCollection}




$addToCollectionResult=$targetCollection.psbase.InvokeMethod($methodAddToCollection, $inParamsAddToCollection, $null)

I also used Computer Variables to designate if the computer is to be installed with german, french or italian regional settings and keyboard layouts, this is useful when working in Switzerland. First you create an empty array of machine variables:

#create machine task sequence variables



$computerInstance = $machineClass.CreateInstance()









Then you can add variables, i use a Windows Form object to take all this information in from input:



I know i have a left a lot out here, and i will skip quickly to the end, but the important thing i have found is that once you harness WMI and powershell, with windows form objects, you can create all manner of dazzling(?) tools to help make SCCM life a bit easier.

Here is a couple of screengrabs of my tool:

For client management, Roger Zander’s Client Center is still freely available from sourceforge:

And for another method to set regional settings in a task sequence, i found this post very interesting:

Task Sequence Error 80004005 Unspecified Error

I ran into this error today, building a Windows 7 image from a Build and Capture Task Sequence. The SMSTSLog showed the following at the “Setup windows and ConfigMgr” step:

The task sequence execution engine failed executing the action (Setup windows and ConfigMgr) in the group (Build the Reference Machine) with the error code 2147500037
Action output: on information to C:\_SMSTaskSequence\unattend.xml
Successfully initialized driver information
Command line for extension .EXE is “%1” %*
Set command line: “\\SCCMSERVER.LOCAL\SMSPKGD$\100004\SOURCES\SETUP.EXE” “/unattend:C:\_SMSTaskSequence\unattend.xml” /noreboot
Executing command line: “\\SCCMSERVER.LOCAL\SMSPKGD$\100004\SOURCES\SETUP.EXE” “/unattend:C:\_SMSTaskSequence\unattend.xml” /noreboot
Process completed with exit code 31
Windows Setup completed with exit code 31
EnteringReleaseSource() for \\SCCMSERVER.LOCAL\SMSPKGD$\100004reference count 1 for the source \\SCCMSERVER.LOCAL\SMSPKGD$\100004\ before releasing
Released the resolved source \\SCCMSERVER.LOCAL\SMSPKGD$\100004exitCode == 0, HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\setupwindows\setupwindows.cpp,440), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\setupwindows\setupwindows.cpp,1707)
Exiting with code 0x80004005
Windows setup failed, code 31. The operating system reported error 2147500037: Unspecified error

The task sequence execution engine failed execution of a task sequence. The operating system reported error 2147500037: Unspecified error

It turns out that this was due to using a MAK Product key from the customer in the Task Sequence, the indicator was the “Windows setup failed, code 31” error.

Removing the key solved the problem. Using a Volume key should be ok but haven’t got one to test this out yet.

Hope this helps.