Issue:
Where Bitlocker has been pre-provisioned, and where customers wish to de-install SecureDoc and then re-install it, the presence of the WMSD partition (left over from the earlier installation) can cause difficulties. This article discusses how to work around these.
Solution:
BitLocker pre-provisioning can be identified on an existing Windows 10 device through one of the following detection methods:
- BASIC
- A Padlock icon on a hard drive in the My Computer folder
- ADVANCED
- Open an Administrative PowerShell window
- Enter the following command: "manage-bde.exe -status"
- Identify whether one or more hard drives have the Conversion Status result, "Used Space Only Encrypted" or "Encryption in Progress"
Based on the results of testing, a way to avoid issues related to BitLocker pre-provisioning is to do one of the following:
- BASIC
- Disable TPM or Secure Boot in the BIOS before installing Windows 10 and leave this feature off
- ADVANCED
- While Windows 10 is installed, open an Administrative PowerShell window
- Enter the following command: "manage-bde.exe -status"
- Identify whether one or more hard drives have the Conversion Status result, "Used Space Only Encrypted" or "Encryption in Progress"
- Enter the following command for each mapped hard drive: "manage-bde.exe -off [ volume letter and colon - ie: "C:" ]"
- For hard drives that are not mapped (such as SecureDoc's WMSD partition)
- Open the Disk Management setting of the computer
- Select the unmapped drive
- Add a drive letter to the unmapped drive
- Enter the following command for each newly mapped hard drive: "manage-bde.exe -off [ volume letter and colon - ie: "E:" ]"
- Remove the drive letter from the newly mapped drive, ignoring the warning messages from Windows
- For hard drives that are not mapped (such as SecureDoc's WMSD partition)
- Use the "manage-bde.exe -status" command to track the decryption of each hard drive until they all have the "Fully Decrypted" Conversion Status
- Use the Windows "Run" command to execute "regedit"
- In the Registry Editor navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker and create the following entry: REG_DWORD (32-bit), Name: PreventDeviceEncryption, Value: 1 (True)
- Restart the computer
- If SecureDoc is installed at this time, use the SD Recovery program along with the platform's keyfile (located in the C:\Program Files\WinMagic\SecureDoc-NT\UserData folder) to Deactivate the device. Open the SecureDoc Control Centre to confirm deactivation of SecureDoc, and then uninstall SecureDoc through the Windows Programs and Features Control Panel entity.
- If SecureDoc is not installed yet, it is now safe to install SecureDoc and not run into any BitLocker pre-provisioning issues as long as the platform doesn't need to be re-imaged
Currently the only requirement to disable BitLocker pre-provisioning occurs is if a customer is planning in the future to un-install their existing build of SecureDoc in favor of installing a new build of SecureDoc (SecureDoc in-place upgrade has not been tested).
BitLocker pre-provisioning acts on the fact that SecureDoc had once, and is once more, going to be making use of the WMSD partition, and will automatically attempt to convert the partition so that it is ready for BitLocker. As a result, this will corrupt the installation of SecureDoc's boot logon and prohibit authentication to the SecureDoc Control Centre (along with displaying a SecureDoc error about SecureDoc.WMG).
Additional Materials:
This article Identifies a means to automate the Windows installation parameters to prevent Bitlocker pre-provisioning: http://forums.crucial.com/t5/Crucial-SSDs/Preventing-Windows-Encryption-Provisioning/m-p/178322/highlight/true#M53657
This article Identifies how to "opt-out" of automatic device encryption while in a Windows environment: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)#BKMK_BL2012R2