BitLocker & BIOS Boot Order

Posted on Updated on

One of the “gotchas” of BitLocker security is that by not having the hard drive first in the boot order within BIOS, can cause BitLocker security to become enacted and thus needing manual entry of the 48-character key upon the next system restart.  This can be a frustration for users who have this happen to them, especially while travelling and unable to reach the help desk.  So, during an OS deployment, make efforts to change the boot order in BIOS.

To do this with HP

  • Obtain the BIOSConfigUtility in the Systems Software Manager
  • Create a text file named “BootOrder.REPSET”.  The text file contains the below content.  Note that I found it is necessary to define two devices to modify the boot order.
Boot Order
     Hard Drive(C:)
     Notebook Upgrade Bay
  • Run command
BiosConfigUtility.EXE /SetConfig:BootOrder.REPSET

To do this with Dell

cctk.exe bootorder --sequence=hdd

If you find yourself in a position that you did not do this during the initial deployment of the OS, never fear, SCCM is here!  Using task sequences, you can automate the process as to set the hard drive to be first in the boot order and re-seal the TPM by performing the following steps:

  1. Suspends BitLocker protection
  2. Reconfigure the boot order (for HP or Dell)
  3. Restarts Windows
  4. Resumes BitLocker protection

2 thoughts on “BitLocker & BIOS Boot Order

    Drøn said:
    August 14, 2012 at 2:44 am

    How about a Lenovo way of doing this?

      N. Moseley responded:
      August 14, 2012 at 6:49 am

      Unfortunately I’ve not worked with Lenovo in this capacity, so I do not know for certain. Otherwise I would certainly post the info! :-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s