OSD: bitlocker pre-provisioning, what's the mechanism?

Similar Messages

• Prestaged Media and Bitlocker Pre-Provisioning

  Hi all
  I am working on a project right now that requires all computers to be pre-provisioned with bitlocker
  I have managed to get pre-provisioning working with no issues. the pre-provisioning kicks in directly after the disk formatting and the Enable Bitlocker step works perfectly after the domain join.
  I have also been able to get pre-staging of media working (after a short fight with it) and I can deploy my task sequence to a pre-staging WIM. I can then deploy that to a disk as a data image and the build proceeds after the first boot.
  What I cant get to work, it both together.
  In an ideal world, I would pre-provision the bitlocker in the pre-staging task sequence before deploying the data image. bit I cant get it to work.
  If I partition with more than one partition (so I have a BDE partition) and use the small partition as a boot disk, the machine fails to boot.
  If I make the larger partition the boot partition, the bitlocker pre-provisioning task tells me that the disk os the os image and fails to work
  has anyone done this or have any ideas?
  thanks
  Stephen

  I guess the pre-provision bitlocker cannot work for booting Windows PE. This is why the system cannot boot.
  The screenshot is a capture of the prestage disk bcd store. We can see the system boots from a ramdisk mouted from boot.wim. The process is different from a traditional system boot, the wim cannot be booted from anencrypted disk.
  Juke Chou
  TechNet Community Support

• What is the mechanism to choose which overloaded method

  in the example
  public class A
    public void m(Object o)
      System.out.println("Object");
    public void m(Integer i)
      System.out.println("Integer");
    public void m(Double d)
      System.out.println("Double");
    public static void main(String[] args)
      A a = new A();
      a.m(null);
  }Which method is called and why... What is the mechanism by which the compiler decides on the method to call...
  Not significant since I'd shoot anyone writing their code like this... But hey curiosity killed the cat...
  Talden

  Yep, this example gives the following error (under 1.4):
  Test.java [26:1] reference to m is ambiguous, both method m(java.lang.Integer) in Test and method m(java.lang.Double) in Test match
  Casting null to either Object, Double or Integer should work fine. I think what your getting at is something I've hit myself - what if I got an object from some method as a return type - why can't I call "m" on it and have java determine which method to call? I think this might be introduced in 1.5 with the new generics stuff, but I'm not sure.....

• SCCM 2012 R2: OSD Windows 7 Bitlocker pre-provisioning

  Hi,
  I succesfully configure bitlocker for Dell laptops during our W7 task sequence (thanks to this guide: http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/)
  Now I want to do the same for HP, found this link http://www.sccm.biz/2012/06/sccm-and-bitlocker-tpm-real-life.html but it seems a config for AFTER installing Windows, not in WINPE.
  During the TS, OS reboots and then says "no OS found", so I'd need to enable the TPM/bitlocker differently.
  Please advise (enabling bitlocker in TS, WINPE phase (pre-provision bitocker) for HP models).
  J.
  Jan Hoedt

  Hi,
  The pre-provisioning is the same for all vendors, it is the TPM part that is different from Vendor to Vendor so you can use these steps to enable TPM in the beggining och the Task Sequence and then let the pre-provisiong step enable bitlocker.
  Regards,
  jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Can not install Windows 8.1 to a Bitlocker Pre-Provisioned volume

  Hello,
  I'll come straight to the point. What I'm trying to do is to install Windows 8.1 Enterprise to a Pre-Provisioned volume but Windows does not let me do that. The steps I've performed are.
  With Microsoft ADK I created me a WinPE media which has the components installed to get the manage-bde command working. I used the article hxxp://technet.microsoft.com/en-us/library/hh824926.aspx for that.
  I prepared an USB stick with the manage-bde components on it and booted my test laptop with it.
  Started diskpart and used commens in order to get a new clean partition:
  Select Disk 0
  clean
  Create Partition Primary
  Format fs=ntfs quick
  Assign letter=c
  exit
  After that I pre-provisioned the volume with the command:
  manage-bde -on -used c:
  When I check with manage-bde -status it states that:
  Conversion Status: Used Space Only encrypted
  Percentage: 100
  Protection Status: Protection Off
  Lock Status: Unlocked
  Identification Field: Unknown
  Automatic Unlock: Disabled
  Key Protectors: None Found
  OK. After that I use the net use command to map a network share with the Windows 8.1 x64 Enterprise installation media itself. I execute setup.exe without any parameters.
  I can navigate all the way through the dialog "Where do you want to install Windows?". I can see there now "Drive0Partition 1" with a Total size of 119.2 GB and almost as many free space BUT when I select it and click next there comes
  only a warning dialog saying:
  We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
  The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
  BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
  What I am missing here? Is there a special trick how to get Windows installed on a pre-provisioned drive? I also loaded the correct driver for the disk controller but no help. As soon as I clean the disk and create the partition new without pre-provisioning
  I can install Windows without any problems.
  Sorry for the long text. Hope someone of you has an idea.
  Regards
  Robert

  We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
  The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
  BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
  Hi,
  For this issue,when you assign letter,you need to mark a partition as active.
  Using a command line
  1.Open Command Prompt.
  2.Type: diskpart
  3.At the DISKPART prompt, type: list partition
  Make note of the number of the partition that you want to mark as active.
  4.At the DISKPART prompt, type: select partitionn
  Select the partition, n, you want to mark as active.
  5.At the DISKPART prompt, type:
  active
  Hope this helps.
  Regards,
  Kelvin Xu
  TechNet Community Support

• What is the mechanism behind processing credit card payment on net?

  Excuse my ignorance, i just completely dont have any knowledge about it. Here is what i thought: when a customer submit his/her credit card information on a e-commerce site, the site's server will make remote request to Bank's(?) server, which would verify the information user has provided, payment would be proceeded if those information is correct and sends message back to the e-commerce site's server. Or if the payment cant not be proceeded,the e-commerce site's server receives error message possibly saying the user's credit card info can not by verified. someone plz correct me if there are any mistake.
  So, how can i simulate this mechanism on a single pc? What i thought was i need to set up a db on mysql which simulates the bank's db, stores people's credit card info. For the e-commerce site i run on Tomcat, i may set up db connection(JDBC) to this db and verify user's credit card info. But i dont think this is how it works in reality, isn it? It would be possibly using java RMI(i am just guessing, havent digged into this area yet) to complete the task. So, if this is the case, can i simulate it on a single pc? Or do i have to phycially have two PCs, have both of them connected to my house's LAN, one runs e-commerce website on tomcat, the other runs mysql db server, then i can start simulating it by using java RMI? This is just something i've been wondering these day. As the uni's long holiday getting closer, i am thinking of giving myself a project gotta be something like this, so i would not get bored during the holidays. I really wish someone would explain me some ideas. Many many thanks...

  If you're asking if you can run the database server on
  the same machine as Tomcat, yes you can. (Although in
  a real e-commerce site, that would be less secure than
  having the database server behind a firewall.)
  yes, i am runing both mysql db and Tomcat on my pc. So, i am wondering that i could possibly set up two separate databases, one holds data for whatever e-commerce site i am going to build, and the other simulates the bank's database that stores peope's credit card information, which can be accessed by the e-commerce site's JSP pages thru RMI for the purpose of validating credit card information. On the other hand, honestly, i am even asking myself what's the point or purpose of doing it in such a way? In fact, this is one of my subjects' project, that we've been given much flexibility about the way we simulate/implement the interaction between e-commerce site and bank's database. The goal is just trying to make it as close to what's happening in reality as possible. I was thinking of just creating a table that holds users' credit card information and put it with other e-commerce's site db tables altogether. But that just sounds like too far away from how it is done in reality, doesnt it? That's why i came up with the above ideas, what still not sure if it's proper way of doing it. Jesus, i am missed....
  If you are asking how an e-commerce site really
  interacts with a bank for credit card validation, I
  have no idea. But you could simulate that with a
  database, although I'm pretty sure the real method
  doesn't involve JDBC or RMI or any Java-specific
  technology.so, does anyone have ideas about how it is implemented in real life?
  many many thanks...

• WHAT IS THE MECHANISM FOR AUDITING PORTAL USER ACTIVITY

  Is there any default mechanism for auditing a portal users access to
  tables. At the DB level, we are seeing the portal_public user but we want to see the portal user instead; e.g. we need to report on activity such as: portal user johndoe deleted a row of data from a table.
  johndoe is only a portal user not a database user.
  We are trying to keep from writing additional custom code to auditing. We are
  using wwctx_api.get_user_id in other parts of the application and we would like
  to avoid writing a custom auditing module.

  William,
  I'm not sure if this is what you are looking for, but...
  When you create (or edit) a component in Portal 10g, there is a Log Activity check box. If you check this box, then go to Manage the component (in the Portal Navigator), there are Develop, Manage and Access tabs. The Manage tab has a Monitor icon, which has the information you may be looking for. This does not seem to be available directly for database tables. However, I created a Calendar, based on a database table I created to keep track of the Calendar Events. I also created a form to allow users to add Calendar Event entries. I turned logging on for both components. The Monitoring allows me to see when each user has accessed the Calendar, and who and when they insert, update or delete entries from the Calendar table.
  -Ricky Burke

• What is the mechanism behind change documents.

  Dear Experts,
  As we all know Change pointers is applicable only for Master Data changes.But in my situation I have to trace changes to a transaction data like (sales order delivery status) and trigger a ALE for IDoc generation ,if the delivery status is confirms.
  So my question is ,Is there any way we can implement the change pointers concept to this type of scenario.
  Please participate   activity in this discussion.
  thanks,
  jeevan.

  You might want to search SDN or Google - the ALE/EDI scenario with order output is very common and I'm sure you'll find a lot of information.
  Your SD functional specialist should be able to help you with the output configuration. It is done in SPRO or in NACE transaction (orders are under V1 - Sales). You might want to create a new output type for the IDocs.
  As far as the additional requirements when the IDoc should and should not be created - this could be handled with the requirement routines. They are assigned in the output configuration (access sequence). This is actually the only part where ABAP is needed, everything else should be done by your SD consultant.
  Here is a rather old book, but it's a good starting point (and free):
  http://www.angeli.biz/www5/books/IDocBook/IDocBook.pdf
  If you're planning to deal with IDocs a lot, I'd definitely recommend investing in the IDoc "bible" by A.Nagpal.

• The mechanism of Delete Row and Unto in program BCALV_GRID_EDIT

  Hi Experts,
      Users need to Delete/Insert/Change a row in OO ALV report and the row can be Undo when the undo button is press. I find the example program in my system and finally get a program BCALV_GRID_EDIT. Most functions in this program  meet my requirement. But I want to know what is the mechanism of the Delete/Insert and Undo function. For example, if I have delete a row in the screen, and then I press the undo button, the deleted row will be restored in the screen. But I want to know where(Internal table or soemwhere) the deleted row is stored after I press the Delete Row button, and where I can retrieve the deleted row after I press the Undo button. Please help~~
  Thanks in advance.
  Best regards
  Joe

  Hi
  1. first remove the ENDSELECT..use INTO table itab or INTO CORRESPONDING fields, Since you are joining the  more tables this will take lot of time.
  2. You are just using two fields from LIKP as selection screen  fields to fetch the so much data.
  see the table linkings apartfrom KUNNR between the tables
  LIKP-VBELN = LIPS-VBELN
  LIPS-VGBEL = VBAK-VBELN and  LIPS-VGPOS = VBAP-POSNR
  and
  VBRP-AUBEL = VBAK-VBELN and VBRP-AUPOS = VBAP-POSNR and
  VBRP-VGBEL = LIKP-VBELN  and VBRP-VGPOS = LIPS-POSNR
  use the above links and code again.
  <b>Reward points for useful Answers</b>
  Regards
  Anji

• What's that mechanical noise on startup?

  I think it comes from the optical drive. I hit the power button, the drive makes it's noise, and then the speakers go "aaaaaahhh". What's the mechanical noise for exactly?
  On a side note, my best friend's computer is a Santa Rosa MBP (November 2007) with a 7200 rpm hd. His mechanical noise sounds different from mine (Santa Rosa June 2007 5400 rpm hd). Why is that?

  Probably the optical drive checking for the presence of a disc, KWarp.
  Why does yours sound different to your friend's? A different brand or model of drive perhaps (You can check this using "System Profiler")
  Cheers
  Rod
  Message was edited by: Rod Hagen

• Pre-provision bitlocker during OSD with a Windows 7 Enterprise image fails at Enable Bitlocker - SCCM 2012 SP1 beta

  I'm trying the SP1 feature to pre-provision bitlocker during OSD, using an MDT integrated task sequence.  It seems like the pre-provision part is working, but when the task sequence tries to enable bitlocker after installing the
  OS, it fails.  ZTIBDE.log contains the following:
  Property UDI is now = ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Microsoft Deployment Toolkit version: 6.1.2373.0 ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  The task sequencer log is located at C:\WINDOWS\CCM\Logs\SMSTSLog\SMSTS.LOG. For task sequence failures, please consult this log. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  System drive is: C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  The deployment method is using ConfigMgr. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Property BdeInstallSuppress is now = NO ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  This script is not currently running in Windows PE ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  We are running a OS that supports BitLocker ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  OSDBitLockerTargetDrive= , OSDBdeTargetDriveLetter= , sOSDBitLockerTargetDrive= C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  This is a Refresh Build where BDE protectors were disabled. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  OS Version is Windows 7 or higher. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Encryptable Volume Count:1 ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Attempting to bind to: C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Success setting oBdeVol ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  BDE Instance Bind Complete ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Attempting to enable BDE Protectors ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  FAILURE ( 6767 ): -2144272377 0x80310007: Enable BDE Protectors ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  This laptop is in an OU with bitlocker related settings applied via GPO, including allowing enhanced PINs, requiring backup of the recovery passwords and key packages to AD, and to require TPM+PIN for the startup authentication.  
  Bitlocker provisioning is working on my production server using only MDT (No SCCM), with a task sequence deploying Windows 7.  I copied some of the variables from the customsettings.ini over to a collection variable in SCCM for
  the collection I'm testing deployment to. Putting those same variables in collection variables should work the same as if they were in the custom settings, but only for members of that collection, right?
  The variables set in the collection variables area are
  BDEInstall - TPMPIN
  BDEInstallSuppress - NO
  BDEPin - SET
  BDERecoveryKey - AD
  BDERecoveryPassword - TRUE
  TPMOwnerPassword - SET
  OSDBitlockerMode - TPMPin (This one wasn't copied from the other MDT share, but added just for sccm. 
  I didn't copy the BDEWaitforEncryption variable, it didn't seem like that one would be necessary with the pre-provisioning.   What am I doing wrong here?

  If not you could add a set variable action to your task sequence after the UDI wizard to set OSDBitLockerPIN to %BDEPin%. You could add a condition to the action to only run if BDEPin exists.
  I don´t quite fallow, how I can switch these variables between. I admit I some time have difficulties to understand the variables. Could you mark discribe me the settings of set variable step I have to enter. Thanks!
  With Confmgr step Enable Bitlocker I have another issue - it does not allow to to enter pin code with letters.
  No problem :-). There is a task sequence action called "set task sequence variable". Just add one of these actions to the task sequence after the UDI wizard. There are only two things you have to configure in the action, the variable you want to set
  and the value you want to set that variable to. The UDI wizard will create the variable BDEPin with a value equal to the PIN you enter in the UDI wizard page. So in your "set task sequence variable" action enter the variable name as OSDBitlockerPIN
  and the value as %BDEPin%. This action will then create the OSDBitlockerPIN variable with the value that was stored in BDEPin by the UDI wizard. The built in SCCM action will then use this as the PIN rather than whatever value is configured in the task sequence
  editor.
  However the best solution would probably be to get the UDI wizard to set OSDBitlockerPIN rather than BDEPin in the first place. I think you can do this in the UDI wizard editor or directly in the XML. I don't use the editor these days so can't recall offhand.
  I will take a look at this next week.
  Most of the task sequence actions support variables and it enables you to configure the action dynamically at runtime. For example the same sequence can be used to deploy systems into different domains, languages, applications etc. all by setting variables.
  It's the basis of how the UDI wizard works, it just sets variables which are then consumed by either MDT scripts or task sequence actions. The variables can be configured by UDI, collections, MDT customsettings.ini, MDT database or scripts. Dynamic deployment
  is definitely the way to go :-).
  I think you are correct about the built-in action not supporting enhanced PIN. I think it only supports standard numeric PIN. Whether setting the PIN via the variable works around a restriction in the task sequence editor I am not sure, I suspect not.
  Mark.

• MBAM Agent Key Escrow Issue After Pre-Provisioning Bitlocker in SCCM TS

  Hello, I'm having an issue with MBAM key escrow now that we have moved to using pre-provisioned Bitlocker. After imaging completes the initial key escrow works properly (the MBAM Agent transmits the Numerical Password key protector to the MBAM server) however
  the MBAM Agent no longer automatically changes the Numerical Password when the recovery code is revealed in the
  MBAM Drive Recovery console. As far as I can tell MBAM is supposed to change this on the user's computer within 90 minutes by default and this behavior cannot be changed.
  I have tested this using a previously-imaged computer that didn't use pre-provisioned Bitlocker. After revealing the recovery code in the MBAM console, the computer's Numerical Password protector was automatically changed as is expected. However
  on the computers imaged with the pre-provisioned Bitlocker this does not happen.
  Here are the versions of the software we're using:
  SCCM 2012 R2
  Windows 7 Enterprise SP1 x64
  MBAM Agent v2.0.5301.1
  The task sequence steps we are using consist of:
  Ensure TPM is activated
  Format and partition drive 
  Pre-provision Bitlocker, Encrypt Used Space Only mode
  Apply Windows 7 image, install drivers and software, etc
  Use manage-bde to set key protectors (-TPM and -RecoveryPassword)
  Run the MBAM activation script
  Use manage-bde to turn on Bitlocker on the drive
  There are no error messages displayed and I can't see anything in the Event Viewer which would point to the root cause. The MBAM logs in Event Viewer are all Operational logs which simply state that the
  'MBAM policies were applied successfully'.
  Is this a known issue with pre-provisioned Bitlocker and MBAM? I haven't been able to find any information regarding this issue so any help would be greatly appreciated.
  Thanks,
  Justin.

  According to the
  MBAM TechNet documentation the client should log in the Microsoft-Windows-MBAM/Operational
  section of Event Viewer. However:
  The test computers do not show any error messages in the MBAM Operational log section. The only entries present are Information events
  that state "The MBAM policies were applied successfully"
  The test computers also don't seem to show any general Security or System Error logs related to Bitlocker or MBAM
  According to the TechNet documentation listed above, when a machine has its Numerical Password reset there should be a
  'RecoveryKeyReset' event logged. However on the laptop where MBAM is changing the Numerical Password I do NOT see this event (though I have confirmed with manage-bde that the recovery password was changed successfully). The only events I see
  are, again, Operational logs for Information events that state "The
  MBAM policies were applied successfully".
  I'm not sure why there aren't any errors logged, or why that laptop isn't generating that RecoveryKeyReset event like it should. As far as I can tell there isn't any way to change what the MBAM client logs, right? I didn't see any logs in AppData or Program
  Data so I have to assume everything is supposed to be logged in Event Viewer.

• Pre-provision BitLocker and Server 2008 R2

  Hi,
  I am trying to pre-provision BitLocker during WinPE and then install Windows Server 2008 R2. This results in a BSOD after the operating system image has been applied. Does anyone know if pre-provisioning bitlocker is supported or works on Server 2008 R2
  (like it works on Windows 7 SP1)?
  On technet I found the following regarding Server 2012: http://technet.microsoft.com/en-us/library/jj612864.aspx
  There it states:
  For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before
  the server operating system is installed as part of your deployment.
  Has anyone pre-provisioned BitLocker on Server 2008 R2?
  Regards,
  Carl

  I am creating the BDE partition as mentioned and have used pre-provisioning of bitlocker without issues on win7, but the same thing does not seem to work on server 2008 r2 and results in BSOD. I suspect it could be related to the fact that BitLocker is not
  installed on server 2008 r2 by default, so I'll try to add bitlocker using DISM and see if it makes any difference. 
  Another issue is that I have to create 2 partitions on the drive besides the BDEDrive (so 3 partitions in total), this messes up SCCM and it looks for the media from the wrong location, more info in this thread:
   http://social.technet.microsoft.com/Forums/en-US/0b24b745-b890-494e-993c-1f1f307af960/configmgr-client-does-not-install-during-osd-trying-to-use-wrong-setup-path?forum=configmanagerosd#a4914c0d-1f56-4ba2-a745-b43fb0005e55
  Carl

• SCCM 2012 R2 OSD - Pre Provision Bit-Locker Drive Label Name Issues

  I am trying to image machines Pre-provisioned for BitLocker.  Everything works great in the Task Sequence except the Drive Label on Boot is "MININT-XXXXX" rather than the actual computer name.  This happens whether the computer is known
  or unknown.
  The only other post regarding this issue I can find suggested changing the OSDComputerName variable name in the TS but that will not work because the hostname is set during the WinPE setup.
  http://social.technet.microsoft.com/Forums/en-US/f9c6f565-e137-4c59-a8de-7314d9b88fe7/how-to-change-computername-on-bitlocker-pinrecovery-password-screen-drive-label?forum=mdt
  I have tried to set the OSDComputerName variable during the Pre-Start and TS but the Drive Label always remains "MININT-XXXXX".
  Any ideas?

  First in Customsettings.ini or in a TS set the %OSDComputerName%
  Then just add this to a Command in the task sequence before provisioning.
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
  SCCM now believes the name of winpe is %OSDComputerName%
  Joakim Tomren

• Pre-provisioned Bitlocker

  SCCM 2012 SP1 with MDT 2013 doing Windows 7 SP1 images. Can somebody who successfully sets up Bitlocker give me some guidance here. I'm looking at Niall's Noob article
  http://www.niallbrady.com/2012/09/23/how-can-i-pre-provision-bitlocker-in-winpe-for-windows-8-deployments-using-configuration-manager-2012-sp1/ about using pre-provisioning.  I realise about setting up AD, and turning on the TPM chip etc. , but my
  confusion is with the BDE variables needed if using the MDT client task sequence which I use
  I see articles about adding variable into the customsettings.ini such as
  bdedriverletter=S
  bdedrivesize = 30000
  etc. but isn't this handled by the MDT TS which creates hidden partition for Bitlocker anyway ??
  I have also seem some articles saying NOT to use the MDT version of enable bitlocker step which I believe runs ztibde rather to use the SCCM step enable bitlocker
  Also if using pre-provisioning which seems to make sense is it sensible to put the client files such as the Dell CCTK into the boot image
  Thanks
  Ian Burnell, London (UK)

  Hi,
  I normally let the builtin format step create the BDEdrive partition, and I normally put the Dell CCTK files in a package instead and reference that package from the task sequence step instead of putting it in the WinPe image, it makes it much easier to
  update if a new model requires a new version of the CCTK.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec