I'm often asked if its possible to use the USMT 4.0 hardlinking (keep backup file on the OS Disk), in combination with bitlocker..
I guess the reason for the question is, that one might think!
- How can I do a backup of a machine, and keep the files on the encrypted drive, and then be able to reinstall that same drive with a new OS, ginning access to the backup that was on the encrypted drive?
- How do I stage WinPE on the Bitlocked disk, and then gain access to that same disk for the OS installation part when inside WinPE.Or at least something like that?
The thing is, that not only is it possible, it will also save you the time it takes to encrypt the drive again, because, even though a new OS is applied to the disk, the encryption is still in effect…
So lets look at the scenarios….
If we have a machine, where bitlocker is enabled, and we choose to do a bare metal installation, where the disk is formatted, we will have to make sure to create the 300+ bitlocker partition, and then start encrypting the entire drive once again…
We could also do a refresh scenario, where the TS is advertised to the running XP/vista/win7 client, and executed from there. In that case, running a standard wizard build TS (unless its a MDT Task Sequence, and I'll get back to that), the TS is either going to backup to the SMP (state migration point), or boot directly to WinPE depending on whether or not the USMT part is enabled. either way, the TS I going to fail, because we cannot stage WinPE on a locked drive, and therefore, not boot into WinPE!
This small bump in the road, is easily fixed though, by adding an extra step to the TS, that temporarily disables Bitlocker
By adding this step, bitlocker is temporarily disabled, and access to the locked drive will become available, enabling the TS to put WinPE on to the disk.
Be aware though, that by default SCCM cannot stage WinPE on a bitlocked harddisk if it is in the process of being either encrypted or decrypted. There is however no problem, if the disk is fully de-or encrypted. For testing scenarios where you might be I the proses of doing exactly that, WinPE can be stage on the Bitlocker Boot partition if it has a drive letter assigned, and has at least 500 MB free space.
Once WinPE is on the disk, the computer will reboot, pick up the TS, and format the drive. You then have to create the Bitlocker boot partition again, enable bitlocker on the OS drive, and do the encryption all over again!
Now, lets say that we choose to use hardlinking. In that case all the backup data is stored locally on the disk, which means, we cannot format it, or the data will be lost.. The standard Wizard build TS already has taken this into account, like you se in the picture beneath.
As you can see, The partition step will only run if _SMSTSClientChache, does not exist. When doing hardlink USMT, this variable will be set, and the TS will skip the partitioning step. The “Apply Operating system Image” step will by default clean the disk, but not format (basically leaving the USMT data intact). The Clean/wipe of the disk also keeps the disk bitlocked, so all you will have to do is enable bitlocker again at the end of the task sequence, and the disk will be locked, and fully encrypted straight away.
Note: If you, like me, have a step that creates the Bitlocker boot partition, just put a “continue on error” on it, as it will fail if the boot partition is already there!
So, what can be concluded from this! Well the most important thing is that Hardlink and Bitlocker works perfect together, but also that it actually gives you the benefit of not having to run the entire process of locking down the disk again, as it is already locked… So if you are reinstalling machines with bitlocker enabled, and you do not do and USMT or use the SMP to store the data, make sure to do refresh, and set options on your partition step so that the disk is not formatted… If you use a MDT build TS, this is default, and so is hardlinking if you have the step “Determine Local or Remote UserState”