Start MBAM encryption on Bitlocker pre-provisioned and Windows To Go drives.

Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the hard drive. It can be found here:

As time goes, there are new features in SCCM and MDT as well as in Bitlocker and MBAM.

One of two things that the original script does not address is pre-provisioned Bitlocker in SCCM 2012 SP1 (It’s actually, a feature of Windows 8 and Windows PE 4). What it means, that once you started the encryption with “Pre-provision Bitlocker” (it actually calls Manage-bde -on %OSDisk% -UsedSpaceOnly), your system hard drive is encrypted right off the bat, and while applying the image, your data becomes encrypted automatically.

The second thing is Windows To Go. Here is the article, that describes how to create a pre-staged media for Windows To Go: There are a couple issues with WTG and SCCM:

  • Recovery key is not saved in MBAM if using this method
  • Wtgcreator does not leverage pre-provisioning feature. It means, that you will have to encrypt the entire drive as a part of the process afterwards.


I’m providing two VB scripts, ZTIPrepareBDE.wsf  and StartMBAMEncryption.wsf.

  • ZTIPrepareBDE.wsf is the ZTIBDE.wsf script from MDT with actual encryption stripped out. Run this script in live OS from the TS first, with condition _SMSTSWTG <> “TRUE” so it won’t run on Windows To Go. It does all preparation with TPM, and it also partitions the drive cutting off 500MB for boot files, all standard stuff from Bitlocker support from MDT, which works just fine but does not support MBAM. This script requires OSDBitLockerMode=TPM and IsBDE=TRUE
  • StartMBAMEncryption.wsf is the script that used to start encryption and have recovery key reported to MBAM. It takes parameter MBAMServiceEndPoint which is URL to MBAM Service End Point, it also takes OSDBitLockerPIN for WTG – if we’re deploying WTG, it will set this password. No need to use the original osdbitlocker_wtg.exe. Run this script after ZTIPrepareBDE.wsf in your TS. I’d suggest to create a package and put ZTIPrepareBDE.wsf and StartMBAMEncryption.wsf from attached file as well as copies of ZTIDiskUtility.vbs, ZTIUtility.vbs and ztiRunCommandHidden.wsf from MDT Scripts folder.

I also included a version of SCCMWTGDuplicator.ps1 script that replaces WTGCreator.exe from SCCM. This script requires all boot files from WTG stick created with original WTGCreator.exe – simply copy all files to Boot directory. This script asks for WIM file with pre-staged media and lists all USB drives and then provisions them with WTG.


Enjoy and let me know if you have any questions 🙂


Credits go to my colleagues:

Dave Hornbaker, who created the original StartMBAMEncryption.wsf script

Michael Murgolo, who improved this script

Michael Niehaus, who inspired me on those kind of things 🙂

Lance Crandall, who worked with me educating me on best approaches with my script and without his input it would not be possible.





Comments (18)

  1. Drey Bee says:

    Hi there. Thanks for the update to the script. I cannot get the ZTIPrepareBDE.wsf to run in x64 winPE 4.0

    Is this by design?


  2. AlexSemi says:

    Yes, it runs from live OS. What do you need to do in PE? TPM work before pre-provisioning?

  3. Erik Nilsson says:

    Is it possible to make pre-provisioning work on Windows 7 using this script (pure MDT, non-SCCM solution)?

    According to this thread it's supported:…/preprovisioning-bitlocker-and-deploying-windows-7-enterprise-supported-by-microsoft

    I've managed to pre-provision BitLocker for Windows 7 using the pre-provision step in SCCM, but I cannot get it to work with your script in MDT, since it has to be run post OS installation.

    Any suggestions?

  4. Erik Nilsson says:

    Also, it does not seem to store the recovery password in the MBAM database (in a non-preprovision scenario). Although encryption has been initialized. I thought encryption wouldn't start if backup of the key fails?

  5. I have it from a reliable source that if you simply use the built-in bitlocker pre-provisioning steps and use a tpm only setting your drive will encrypt and if you install mbam later in the ts it will prompt for a boot passphrase once the client 'phones home' and a user logs in to the system, this all depends on your group policy settings of course.  I am hoping to try this out later today.

  6. huh, I have a version of the startmbamencryption script but it is only 148 lines, the one included here is over 450.  I see it is doing a TON more than the version I have can someone provide some more details on how to use this updated script?  In particular the /EncryptionMethod switch.   I am using the script now but with limited success if this new one does a better job, hot dog, I will give it a whirl!


    Hi, I am using WTGCreator comes with SCCM 2012SP1. It is not detecting WIM file. Is it only me ?

  8. Guillaume BEDEAU says:

    Hi there,

    Is the TPMOwnerShip password is sent to MBAM Database with this method ?


  9. Guillaume BEDEAU says:


    Is it possible to Pre-provision a Fixed Data Drive ? If yes How ?


  10. Aaron says:

    I'm testing out some hobbled together method using the enablebitlocker.vbs script to Activate TPM and take ownership while in WinPE4, it does an automatic reboot, then when resumes, my imaging scripts create partition structure, and calls manage-bde -on c: -UsedSpaceOnly.  This works to successfully enable pre-provisioning.  I then call imagex to apply my sysprepped windows 7 image.  Windows 7 successfully boots and completes mini-setup.

    After installing MBAM client, and logging on, I get an MBAM prompt to choose a PIN.  This appears to complete successfully.  When I check MBAM recovery console, I do get the recovery key.

    What IS missing from MBAM, though, is TPM information, likely because it's already owned by having to use the "enablebitlocker.vbs" to take ownership of the TPM.  You CANNOT run manage-bde to start encryption in winpe4 without first enabling and taking ownership of the TPM, so… looks like we're stuck with no TPM backups in MBAM database.

    Is there something I can do different?  I still want to pre-provision due to the encryption time savings, and ENFORCING that laptops are encrypted before an end-user gets it in their hands.  If end users had it their way, they'd click on the MBAM Postpone button 1 Million times…

    I don't like enabling bitlocker after imaging because our software deployment tools kick in with software installs and if bitlocker is encrypting after OS install, the drive space is REALLY LOW until encryption is done.  Another HUGE benefit of pre-provisioning.

    Do I even REALLY NEED the TPM backups?  If all else fails, can't I still do recovery, then once in, use manage-bde to take ownership of the TPM again if I had to?

    Long winded… sorry…


  11. alexsemi says:

    Yes, you're not going to have TPM information if you're pre-provisioning with -UsedSpaceOnly.

    You'll still be able to wipe TPM chip and access the drive by providing the recovery key. So I say – not a big deal.

  12. JoshuaDenzik says:

    I am trying to understand  your script. Where do you set the paramenter MBAMServiceEndPoint?  sMBAMServiceEndPoint = oEnvironment.Item("MBAMServiceEndPoint") Are there any other places in the script that have to be edited to fit my enviorment?

  13. Jim Webb says:

    Whenever I run the StartMBAMEncryption.wsf script from a Task Sequence using SCCM 2012 R2 I get the following error:

    ZTI ERROR – Unhandled error returned by StartMBAMEncryption: The system cannot find the file specified.

    (-2147024894  0x80070002)

    Any suggestions?

  14. Jim Theodocion says:

    Joshua – you set that parameter in the command line where you call the script or I guess you could manually add it in the script.

    Jim Webb – I am guessing you need to run the script from the scripts folder in MDT so it can see the other scripts.


    We are trying to use this with MBAM 2.5 on WTG and the encryption part does not happen. No error. In the logs  it shows that encryption has started but that is not the case when imaging is done. Is it possible something has changed?

  15. Cory Freeman says:

    @ Aaron can you share a screenshot of your task sequence or email me cfreeman21 [at]

  16. Joshua Delaughter says:

    Could line 125 be changed to use 256 bit?

    oUtility.RunWithHeartbeat """" & oEnv("SystemRoot") & "system32Manage-bde.exe"" -on " & oUtility.GetOSTargetDriveLetter & " -used"

    by adding "-em aes256." after "-used" at the end of the line?

  17. AlexSemi says:

    Joshua – great point. I usually do pre-encryption in Windows PE with

    manage-bde -on %OSDisk% -UsedSpaceOnly -em aes256

    so it's already 256. But you can add it and try/

  18. AlexSemi says:

    Actually, I just realized something. Where did you take that code from? My StartMBAMEncryption.wsf does not have it, but instead, has /EncryptionMethod switch which defaults to "4" (AES256) if no value specified