Tip of the Day: BitLocker Pre-provisioning
Unlike Windows Vista and Windows 7, Windows 8 has the ability to pre-provision the system volume during installation. To use BitLocker Pre-Provisioning, we have three options open to us, MDT 2012, SCCM 2012 SP1, or WinPE 4.0.
- In MDT 2012, we use the Enable Offline Task Sequence which uses ztibde.wsf file to encrypt the drives.
- In SCCM 2012 SP1, we use OSDOfflineBitLocker.exe which enables BitLocker.
- In WinPE 4.0, we can use the command prompt to run “manage-bde –on <drive letter>”
NOTE: The WinPE option is a bit more complicated as you must add the file management and startup optional components to your WinPE image. Otherwise you will not have the manage-bde tool available.
TPM should be enabled in the BIOS prior to installation
Steps to be done after Windows installation:
The BitLockered volume will be in a “Waiting for Activation” state, as it is using a clear protector. This can be done using either of the following options
- Use the manage-bde tool to preform a ‘Manage-bde –protectors –add C: -rp’
- Use the Control Panel applet to ‘Turn on BitLocker’
The advantage to this approach is that activating protection post installation only takes a few seconds instead of the user having to wait for BitLocker to encrypt the entire volume.