10 Replies Latest reply on Mar 8, 2017 11:38 AM by ampingitore

    Surface Pro 4 Image and BitLocker


      Hello Everyone,


      I am currently working on building a Windows 10 image that we can deploy to our Surface Pro 4's that we are purchasing now. I have built the image in a UEFI virtual machine and captured it successfully.


      I am able to deploy this image successfully as well to the machine but it appears to be creating an issue for us after the fact.


      We do not use BitLocker for full disk encryption but actually use McAfee MDE with preboot authentication (not my choice, security decision from a while ago). The problem is, after deploying the image to a Surface Pro 4, it shows the drive is encrypted but BitLocker is disabled. McAfee will not encrypt the drive if it detects any kind of encryption at all even if it isn't active like the BitLocker system in this scenario.


      Normally if this were an OEM image that came with the Surface Pro 4, we could go in to control panel and enable BitLocker and then immediately disable it to allow McAfee to encrypt the drive.


      For some reason this process won't work on the custom image as it tries to shrink the partitions to create the recovery partitions but is unable to and gives an error about unmovable files.


      Is there a different method I can use with ImageX or something to create the partitions as they would look on an OEM imaged device. I've included a screenshot of disk management from the Surface Pro 4 when running using the OEM Microsoft image.


      We are currently using LDMS 2016


      I'd appreciate any help with this or direction given, thank you!

        • 1. Re: Surface Pro 4 Image and BitLocker
          Zak Rookie

          We experienced a similar issue with Surface Pro 4 + Winmagic SecureDoc using bitlocker encryption as well.


          As a workaround, I just decrypt / disable encryption and reboot using the commands below. You should be able to install your Mcafee MDE (w/ bitlocker) afterwards without issue.


          1. Open a command prompt as administrator.

          2. run: manage-bde -status

          It will probably say something is encrypted...

          3. run: manage-bde -off c:


          It will decrypt the drive pretty quick and you can its check status using the first command. Once complete I would reboot for good measure and try to install normally.

          • 2. Re: Surface Pro 4 Image and BitLocker

            Wow! I can't believe it was this simple. I'm adding a step in provisioning to do this so that we can have McAfee install normally at the end. Thank you and I will report back as soon as I definitively know whether this worked or not.

            • 3. Re: Surface Pro 4 Image and BitLocker

              OK I created a simple batch file to run the command in provisioning right after it boots into windows and after the provisioning agent is installed. It doesn't seem to run in that context but if I just run it manually right there it seems to work. Do you have any idea why it doesn't seem to like the command being executed by provisioning?

              • 4. Re: Surface Pro 4 Image and BitLocker

                Most likely because it is being run as SYSTEM (we have several batch scripts that we cannot do in an "execute file" method). Your only options are to package it and use "Distribute Software" specifically stating a user to run as (which is not an ideal scenario), or fix your reference machine.


                What type method are you using to deploy your reference images? ImageW, Semantic, or ImageX? I don't know about the Semantic portion, but ImageW captures the entirety of the virtual hard drive (including boot sectors).


                We use ImageX, for the simple fact that it ONLY captures the Windows partition - and because of this, we are able to deploy the same image to either EFI or BIOS machines, and our reference VM is set in Legacy BIOS.


                We also use MDE, and have successfully deployed hundreds of Surface Pro 4's without bitlocker ever being present to begin with; don't have to fix what doesn't appear.


                Our steps:

                Action Type: Partition → Create Default Partitions

                Action Type: Deploy Image → ImageX → /apply \\path\to\reference\image.wim 1 C:

                Action Type: Execute File → Target: bcdboot.exe → Parameters: C:\Windows /s S:


                If you're using something else, reach out and I'd be happy to assist in any way I can.

                • 5. Re: Surface Pro 4 Image and BitLocker


                  I just tried running it as "current user" as a distribute software step in provisioning, before I did have it as localsystem. That didn't seem to make a difference.


                  I am using ImageX and performing the apply steps exactly as you are listing them there, although I wasn't aware that you didn't have to build the .wim for EFI on an EFI system, that is good to know.


                  I'm curious as to how your MDE is deploying to a Surface Pro 4 because the BDE, while not activated, does show the drive as encrypted and from what my McAfee engineer tells me, MDE will not deploy to the machine and install/activate if it sees a competing encryption on the device.


                  I really appreciate everyone's assistance with this and hopefully can have this figured out very soon.

                  • 6. Re: Surface Pro 4 Image and BitLocker
                    Kenyon Expert

                    I had this same issue as we use Symantic drive encryption.  It looks like Windows 10 anniversary edition (1607) automatically enables Bitlocker when TPM is detected. The initial Windows 10 release did not do this.


                    Disable TPM in the BIOS before the machine is imaged and Bitlocker will not automatically enable thus allowing other drive encryption tools to work.

                    • 7. Re: Surface Pro 4 Image and BitLocker

                      Kenyon, do you know if re-enabling TPM after fact will re-engage the encryption process? This might be the right path because running that command in provisioning doesn't seem to work any way I've tried. I'm going to do some testing around this and report back.

                      • 8. Re: Surface Pro 4 Image and BitLocker
                        Kenyon Expert

                        If the drive is encrypted with McAfee, I don't believe that Bitlocker will be able to activate. So I don't believe that re-enabling TPM will re-engage Bitlocker. I didn't bother to re-enable TPM afterward because Symantec does not take advantage of it.

                        • 9. Re: Surface Pro 4 Image and BitLocker

                          This could be the key takeaway: TPM. We always leave it disabled in our environment. As a side note, it appears as if you can enable TPM via the command line with manage-bde: Manage-bde: tpm


                          Not that this will help in automation; it's essentially the same thing that you're doing now, just a different switch. Still, at least that saves you a reboot into the UEFI firmware.

                          • 10. Re: Surface Pro 4 Image and BitLocker

                            This is the solution it seems, working perfectly now with TPM turned off. Thank you all for the help on this.