BitLocker and Windows RE are two useful features found in some of Microsoft’s modern operating systems. If you aren’t sure why you’d want either of these technologies, here’s a quick overview.
- Windows RE is useful for fixing the majority of issues that previously caused Windows computers to fail to boot. It can automatically start up and fix those issues so that the computer will at least boot and provide users the ability to get a machine working properly again.
- BitLocker is hard disk encryption software and very useful for protecting data loss and is included with the higher end SKUs of Windows. It works very well and allows users inbox functionality rather than purchasing a third party product to do the same thing.
Though the technologies seem unrelated, they have an important relationship for successful implementation together. What complicates matters is that the out of box settings not only change between versions of Windows, but in some cases makes using them in conjunction not possible or, at best, unreliable. There are some choices in how to set this up and of course those choices yield different results. That said, this how-to helps users setup their systems to have a good shot at keeping a consistent implementation across SKUs and OS’s.
The setup of BitLocker and Windows RE is affected by hard disk partitioning. Since disk partitioning isn’t necessarily something that can be completely modified after Windows has been setup, and the user interfaces for BitLocker / Windows RE mask what is happening in the background, it is important to setup the hard disk properly from the get go. This how-to is going to focus on setting up the hard disk initially so these two technologies work properly together.
It is worth noting that Microsoft has largely fixed this in Windows 8 and our guidance is largely in line with how they do things now, but gets that to work with other OS’s.
1. Pre-create a > 300MB partition
I like to create an active partition at the front of the disk that is greater than or equal to 300MB. Windows 7 used 100MB and wasn’t enough room to store what was needed for both BitLocker and Windows RE. With Windows 8, Microsoft changed the size to 350MB. It might be splitting hairs, and you don’t want to waste space, but some people leave it at 1GB knowing that generally hard disk space isn’t necessarily the constraint on endpoints these days.
2. Install Windows 7 to the free space
After creating that partition at the front of the disk, have Windows setup install Windows 7 to the free space, and enable BitLocker after installation. In this way, all the BitLocker and Windows RE information would be stored at the beginning of the hard drive. The other nice part is in the future you could put an entire recovery image that may be multiple GBs at the end of the disk since shrinking the main partition and adding one at the end isn’t too hard to do. Please see the attached image.
The Windows 7 setup wizard doesn’t give you the options from a user interface to do this.
3. Boot your Windows 7 device
Begin by booting to your Windows 7 media.
Press Shift + F10 to bring up a CMD line.
5. Set correct partitions
Here are the CMD line instructions to set it the correct partitions:
- Select disk 0 (zero)
- Clean (this will destroy all contents of the hard drive)
- Create partition primary size=350
- Format quick
- Create partition primary
- Format quick
6. Choose partition where Windows will be installed
When you get to the “Where do you want to install Windows” dialog box, choose the larger of the two partitions which should be Disk 0 Partition 2.
7. Windows setup
Complete the rest of the Windows setup like normal.
8. Install BitLocker
You are now ready to install BitLocker. There is some overhead here, like making sure the TPM is enabled from the BIOS. Also, you have some choices on where you would like to store the encryption key (USB, Active Directory, etc…). I’ll just stick with how to enable BitLocker and leave you to decide on where to store the keys. Personally, I like AD as well as a USB stick since the USB stick can store the auto-unlock key (AD won’t) and can be handy for some troubleshooting scenarios. Just make sure you keep that USB stick secure and locked away safe when not in use.
To enable Bitlocker, do the following:
- Click Start
- Click Control Panel
- Click System and Security
- Click BitLocker Drive Encryption
- Click Turn On BitLocker
Again, there might be some BIOS configuration needed for TPM on your computer. But assuming that is enabled, you’ll see that BitLocker will move what it needs to that 300MB partition that was created. Since we set it up this way if there is ever a problem on C:\, all the repair information has been moved off and is a more reliable and robust method than what was out of box on Windows 7 (since the recovery tools would be on the C:\ partition it would try to repair!).
10. Repairing a computer
Assuming there were an issue that needed to be fixed, it could automatically fail over to Windows RE. But to manually instantiate the environment, you can press Shift + F8 on the target computer at boot. You then click Repair Your Computer.
11. View repair options
You can see the various repair options.
One last consideration is that this work can be done in reference computers to set your organization up for successful mass-imaging. Of course, I recommend using SmartDeploy as your imaging solution for its single image management capabilities.
Spending a little time up front to properly configure your hard drives will help set you up for successful implementation of these two Microsoft technologies.
UPDATE: As of September 10, 2020, SmartDeploy no longer supports the deployment of Windows 7 and Windows Server 2008 R2.