Staging Problems: BitLocker and multiple boot images

Over the last few days I’ve been working on setting up staging via PXE booting at a clients site. Everything seemed to be working fine until I tried to stage a machine with BitLocker installed and the hard drive encrypted.

Just after I selected the task sequence and started the process, as it was downloading the custom boot image, the task sequence error (0x80070070) occured. As it errored, I hit F8 to bring up the command prompt and took a look at the SMSTS.log, which showed:

There is not enough disk space left on this machine for staging the content for content PKG000ID

and

Boot Image package not found. There is not enough space on the disk. (Error: 80070070; Source: Windows)

This seemed very strange as I knew that the machine has plenty of space available on the HDD. I ran diskpart from the command prompt and saw that the BitLocker partition, which is 100MB in size, was set to the C:\ drive and the main, large, encrypted partition was set to the D:\.

I then noticed it was creating the _SMSTaskSequence folder on the C:\ and it all made sense. Further up in the log, I found the following:

Volume C:\ has 75358208 bytes of free space 
Volume D:\ has unsupported file system 
Volume X:\ is not a fixed hard drive 
TSM root drive = C:\ 

The X:\ was the current boot image, loaded into RAM. As the D:\ was the encrypted partition, it was inaccessible and so SCCM was using the 100MB BitLocker partition as the root drive and was attempting to copy the boot image to the C:\. This partition wasn’t big enough to hold it and so the TS failed. Simple right?

But hang on, why was it downloading the boot image at all? I am already in a pre-execution environment, why didn’t it just use this boot image? Well, when you first PXE boot a machine it will download a boot image from the PXE DP.

BootImage

The boot image it downloads initially will depend on which one is associated with the task sequence that has most recently been advertised to the machine that is being PXE booted. Once the environment is fully loaded, you then get the chance to choose one of the advertised task sequences and if that TS uses a different boot image to the one loaded in RAM, it will need to download the new one to HDD. If the main partition is encrypted, it is then forced use the BitLocker partition and if that is too small, it will fail with the above error!

What about fixes or workarounds? Well lets just recap the scenario before we look at what can be done.

Scenario:
A BitLocker encrypted machine, with a BitLocker partition that is smaller than the boot image size, downloads one of the available boot image media at PXE boot. When the choice of task sequences to run shows up, a TS that uses different boot image to the one already downloaded, is selected. As a new boot image is required, it begins to download it but to the small BitLocker partition (as the main drive is encrypted and not accessible) and fails due to lack of space.

Workaround:

  1. Limit the number of boot images on the PXE DP to one, so the initial boot image download during PXE boot is the same as the one used in the TS about to run. This of course means only task sequences with the same boot image can be advertised to machines.
  2. Suspend the encryption on the machine prior to PXE booting and then the number of boot images on the PXE DP doesn’t matter
  3. Increase size of BitLocker partition so it can download the new boot media (I haven’t actually tested this workaround but am confident it would work)

Other than this, there is no other way I’m aware of getting round the issue except formatting the HDD prior to PXE booting!

Thanks
Nik