Bitlocker – Not able to stage Boot Image on Bitlocker Partition

Issue

While working on one of the the issue, we found that Task Sequence was failing with error code (0x80070070).

If you look for the error code, it is equivalent to:
This problem we were facing for existing machines (which were already built previously), any new purchased systems were not causing issue.

Workaround

As a workaround, we could use Diskpart utility in following order to get the issue resolved:
Press F8 to open Command Prompt
Type Diskpart
Type clean
Type “Create partition Primary”
Type “Format fs=ntfs quick”
Type “Active”
Type Exit

Now start the Task sequence again, it will continue without any error.

But this did not seem to be a permanent solution in the environment as many company uses ZTI approach, and this provision will actually requires somebody to intervene and do the cleaning stuff of disk to continue. Moreover what could be the route cause to resolve the issue for once and for all.

Route Cause Analysis

Our existing machines were having 2 partitions, 1. Hidden partition of 300MB for Bitlocker partition 2. Remaining partition. Our second partition is Bitlocker Encrypted, hence through WinPe Boot Image you would be able to see only 1 partition (ie 300MB Bitlocker partition) as usable one. Boot Image cannot try to stage on encrypted partition. Our Boot image size was more than 400MB hence its quite logical that we will get error because 400MB of Boot Image is trying to stage(download from DP) to 300MB Bitlocker partition.

There are several points to be taken care into consideration to resolve the issue:

Prevent Boot Image from download/staging

Prevent Boot Image from download/staging because if WinPE is already loaded, TS is selected, there is no need to download the Boot Image again. The only reason why Boot Image is loading again is because of difference in:

Boot Image loaded through PXE vs Boot Image assigned to Task Sequence.

Its not always the same Boot image loading from PXE what is actually assigned to Task Sequence.

There should be only 1 Boot image available on PXE to prevent the issue, and that too I would prefer x86 boot image which can actually be used for deploying wim of x86 or x64 (Not application for deploying OS through source which actually requires same architecture of WinPE as what OS has).

FAQ

At this time, a questions may arise:

More than 1 boot image

What if there are more than 1 Boot Image on PXE, which Boot Image will load, how to prevent it ?

In PXE process, wdsnbp.com file is responsible to do architecture detection and to download the boot image based upon that.

But in practical scenario it is not true, the most recent advertised task sequence associated boot image will actually load. Hence to avoid all confusion, use 1 Boot Image which is actually been targeted for the task sequence.

Larger Bitlocker partition

What if we use Bitlocker partition more than 300MB, such as 600 MB or may be more ?

This can actually resolve the issue for all future deployments, but what if you already have 10,000 machines in the environment, and on one or another time you have to build it. If your PXE issue is still not resolved (loading incorrect Boot Image from PXE), you will still face problem for all existing machines, but this approach will prevent the further issue in future for next build because now you have bigger Bitlocker partition than Boot Image.

Best approach
Then what is the best approach ?

May be these different approach confusing you mentioned in Q1 and Q2, if you are able to manage one and only one PXE boot image in environment which is been used by task Sequence, there would be no need to look for another solution.

What if
If there is actual requirement of having more than 1 boot image on PXE, how to control that ?

This I will explain you in detail in another article.

Leave a Reply

Your email address will not be published. Required fields are marked *