As mentioned in the blog articles “Image Builder Wizard – Quick and Easy Embedded OS Creation – Part 1” written by Robert and “BitLocker in Windows Embedded Standard 2011” written by Hema – the BitLocker feature requires two partitions. The first partition is a system partition contains the BCD (Boot Configuration Data) store and remains unencrypted. The second partition is the partition that contains Windows, programs, etc and can be encrypted. IBW does a good job in ensuring that the user is required to partition with a separate system partition if the user has added the BitLocker feature. It is able to do that because it has an awareness of whether the feature is added by the user.
What’s the “Gotcha” you may ask? Well, during Mass Deployment scenarios, such as using WDS or IBW to deploy a custom WIM, the disk partitioning dialog has no awareness of whether the BitLocker feature is in the image. That means that it is possible under these circumstances to create a system with the BitLocker feature and only have one partition. This is not a supported setup for BitLocker and the feature will not enable or allow the Windows partition to become encrypted.
So please, if you’re going to be mass-deploying an image with the BitLocker feature, ensure that the Unattend file (or the technician if it’s a manual process) creates a system partition.