Tip of the Day: BitLocker Pre-provisioning
Today’s tip…
Unlike Windows Vista and Windows 7, Windows 8 has the ability to pre-provision the system volume during installation. To use BitLocker Pre-Provisioning, we have three options open to us, MDT 2012, SCCM 2012 SP1, or WinPE 4.0.
- In MDT 2012, we use the Enable Offline Task Sequence which uses ztibde.wsf file to encrypt the drives.
- In SCCM 2012 SP1, we use OSDOfflineBitLocker.exe which enables BitLocker.
- In WinPE 4.0, we can use the command prompt to run “manage-bde –on <drive letter>”
NOTE: The WinPE option is a bit more complicated as you must add the file management and startup optional components to your WinPE image. Otherwise you will not have the manage-bde tool available.
Building a Windows PE Image with Optional Components
Requirements:
TPM should be enabled in the BIOS prior to installation
Steps to be done after Windows installation:
The BitLockered volume will be in a “Waiting for Activation” state, as it is using a clear protector. This can be done using either of the following options
- Use the manage-bde tool to preform a ‘Manage-bde –protectors –add C: -rp’
- Use the Control Panel applet to ‘Turn on BitLocker’
The advantage to this approach is that activating protection post installation only takes a few seconds instead of the user having to wait for BitLocker to encrypt the entire volume.
Comments
- Anonymous
January 01, 2003
Hi, we are in the process of implementing MBAM in our environment, and wanted to know if you could give a brief steps to follow in successfully encrypting using Pre-provisioning. at what stage does the MBAM client need to be installed and the reg key run ?. assuming everything is done in OS. SCCM 2012 R2 windows 7 x86 laptop and Win8.1. thank you- Anonymous
May 23, 2017
this blog post is over three years old. please try here instead: https://stackoverflow.com/questions/tagged/bitlocker
- Anonymous