Here is the scenario: We are on SCCM 1602 with the latest Win10 ADK and our boot wims have been patched with hotfix KB3143760. We are having a lot of issues with the pre-provisioning step when deploying Windows 7 SP1 x86 and Windows 7 SP1 x64. We are getting a winload error after the machine reboots because the encryption algorithm has changed to (XTS AES) and Windows 7 is not happy with it. Our problem is we are on Windows 7. We have plans to migrate to Windows 10 in future but, it's not a feasible solution at the moment. We have been using this command in place of the pre-canned "pre-provisioning" step. "X:\WINDOWS\system32\manage-bde.exe" -on %OSDisk% -EncryptionMethod AES128 -UsedSpaceOnly". The command works for Windows 7 SP1 x64 on all the models and manufactures I have tested but not for x86. It won't set the key protectors on the Lenovos and; on Dells it won't even turn bitlocker on even though the command executes successfully in the task sequence. This article helps explains a bit more https://social.technet.microsoft.com/Forums/en-US/99c578c1-07f3-486a-b117-821a6f96ad71/windows-10-build-1511-xts-aes-cipher-strength-and-bitlocker-preprovisioning?forum=configmanagerosd . We have open ticket with MS support, but any suggestions or help would be awesome!
Thanks Josh
