I recently purchased new computers for the office that finally ship with a Trusted Platform Module. Since our company uses a sysprep image to image the HDDs, I hit a few snags so here’s what I had to do to enable BitLocker:
First I started by imaging the drives. I actually prepare my sysprep image using Hyper-V – I have a virtual machine with Windows 7 Enterprise edition loaded, all the apps I need etc.
I then image the drives. Here’s how:
1. I make sure the VM is not running (shutdown the machine after having run sysprep /generalize).
2. I mount the VHD using Disk Management:
3. I connect the drive to be imaged to the computer using an ESATA Dock like this one:
http://thermaltakeusa.com/Product.aspx?C=1346&ID=1895
4. Using hard disk cloning software (you can pick your favourite – I happen to use Acronis TrueImage) image the drive, making sure to leave at least a 100MB primary partition (that’s the one that doesn’t get encrypted).
As a side note: since my .vhd is small – around 35GB and the destination HDD is large – 256, 512GB or more I always manually adjust the partition size. Sure, the software could “automatically” / “Proportionally” do that, but if you let the software do it you end up growing that primary 100MB partition to something larger which is just a waste of space… so choose the “Manual” clone mode, and then force the primary partition on the destination disk to be exactly the same size as on the source disk: 100MB. After you do that for some reason Acronis leaves some unused space, so now select the second partition, right-click it and choose edit and it will have already “grown” the partition to consume that available space. Click OK and you’re good to go.
5. After you’ve imaged the drive, put it in the destination computer, do all your driver config, etc.
6. Enable the TPM in the bios, and make sure you “Activate” it – both should be BIOS settings.
7. Try to enable Bitlocker. If you get an error saying that the computer doesn’t meet the boot sector prerequisites or complaining about the mbr, then you need to do this:
a) Restart the computer pressing F8 to get the Windows boot menu. Boot to the “Repair My Computer” option – the Windows Recovery console.
b) Choose the option to open a command prompt then at the command prompt window type these two commands:
bootrec /fixmbr
bootrec /rebuildbcd
8. Reboot, then enable bitlocker. Print / save the encryption key, and you’re good to go.
Darren Myher's Blog 