Tip of the Day: BitLocker Pre-provisioning

Today’s tip…

Unlike Windows Vista and Windows 7, Windows 8 has the ability to pre-provision the system volume during installation. To use BitLocker Pre-Provisioning, we have three options open to us, MDT 2012, SCCM 2012 SP1, or WinPE 4.0.

  1. In MDT 2012, we use the Enable Offline Task Sequence which uses ztibde.wsf file to encrypt the drives.
  2. In SCCM 2012 SP1, we use OSDOfflineBitLocker.exe which enables BitLocker.
  3. In WinPE 4.0, we can use the command prompt to run “manage-bde –on <drive letter>”

NOTE: The WinPE option is a bit more complicated as you must add the file management and startup optional components to your WinPE image. Otherwise you will not have the manage-bde tool available.

Building a Windows PE Image with Optional Components


TPM should be enabled in the BIOS prior to installation

Steps to be done after Windows installation:

The BitLockered volume will be in a “Waiting for Activation” state, as it is using a clear protector. This can be done using either of the following options

  • Use the manage-bde tool to preform a ‘Manage-bde –protectors –add C: -rp’
  • Use the Control Panel applet to ‘Turn on BitLocker’

The advantage to this approach is that activating protection post installation only takes a few seconds instead of the user having to wait for BitLocker to encrypt the entire volume.