This is the change to the portion of the script that looks for encryptable volumes. Part of that script determines whether BitLocker is already encrypting a drive and, if so, MDT then makes the assumption that it must be doing an upgrade and merely has to re-apply protectors to a drive at the end. In reality, this gets tripped by the fact that the external USB disk is BitLockered (the MDTDEPLOY partition). This results in a failure during the final BitLocker steps since the TPM doesn't get owned and, therefore, cannot be used for enabling protectors.

This change is around line 1350 in the MDT 2013 Update 1 version.

' Get the encryptable volumes. Check the conversion status on each
Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume")
For each objVol in colEnVol
    objVol.GetConversionStatus iStatus, iPercent
    
    if iStatus <> 0 Then
        If IsNull(objVol.DriveLetter) then
            oLogging.CreateEntry "Encrypted drive found: " & objVol.DeviceID & ", status = " & iStatus, LogTypeInfo
        Else
            oLogging.CreateEntry "Encrypted drive found: " & objVol.DriveLetter & ", status = " & iStatus, LogTypeInfo
        End If

'****** MODIFIED CODE BELOW
        Dim scVol
        Set scVol = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2:Win32_Volume.DeviceID=""" & Replace(objVol.DeviceID,"\","\\") & """")
        If scVol.Label <> "MDTDEPLOY" Then
'****** END MODIFIED CODE
        bIsBde = true
'****** MODIFIED CODE BELOW
        Else
            oLogging.CreateEntry "Skipping setting IsBDE since drive is MDTDEPLOY, which is supposed to be encrypted and not managed by MDT", LogTypeInfo
        End If
'****** END MODIFIED CODE
    End If
Next
If not bIsBde Then
    oLogging.CreateEntry "There are no encrypted drives", LogTypeInfo
End If