I think Toby has you on the right track there. Interesting though, the registry key listed there is slightly different from the one I'm using in my Win10 OSD TS. The one I'm using probably only works in 1511+. . .
I have a step that runs "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" -t REG_DWORD -v EncryptionMethodWithXtsOs -d 7 -f" just before the pre-provision bitlocker step, forcing the use of XTS_AES256. On Wed, May 25, 2016 at 11:14 AM, Denzik, Josh <[email protected]> wrote: > I have not tried that. “Trying it now” > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Toby Beaupre > *Sent:* Wednesday, May 25, 2016 11:49 AM > *To:* [email protected] > *Subject:* [MDT-OSD] RE: Win10PE and Bitlocker Pre-Provisioning XTS AES > Encryption > > > > Have you tried adding the registry entry explained in this blog? > > > > > https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/ > > > > Toby > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Denzik, Josh > *Sent:* Wednesday, May 25, 2016 10:28 AM > *To:* [email protected] > *Subject:* [MDT-OSD] Win10PE and Bitlocker Pre-Provisioning XTS AES > Encryption > > > > Here is the scenario: > > > > We are on SCCM 1602 with the latest Win10 ADK and our boot wims have been > patched with hotfix KB3143760. We are having a lot of issues with the > pre-provisioning step when deploying Windows 7 SP1 x86 and Windows 7 SP1 > x64. We are getting a winload error after the machine reboots because the > encryption algorithm has changed to (XTS AES) and Windows 7 is not happy > with it. Our problem is we are on Windows 7. We have plans to migrate to > Windows 10 in future but, it’s not a feasible solution at the moment. We > have been using this command in place of the pre-canned “pre-provisioning” > step. "*X:\WINDOWS\system32\manage-bde.exe" -on %OSDisk% > -EncryptionMethod AES128 –UsedSpaceOnly”. *The command works for Windows > 7 SP1 x64 on all the models and manufactures I have tested but not for x86. > It won’t set the key protectors on the Lenovos and; on Dells it won’t even > turn bitlocker on even though the command executes successfully in the task > sequence. This article helps explains a bit more > https://social.technet.microsoft.com/Forums/en-US/99c578c1-07f3-486a-b117-821a6f96ad71/windows-10-build-1511-xts-aes-cipher-strength-and-bitlocker-preprovisioning?forum=configmanagerosd > . We have open ticket with MS support, but any suggestions or help would be > awesome! > > > > > > Thanks > > > > Josh > > > > > > > > > ------------------------------ > > > Confidentiality Note: This email message, including any attachment(s), is > for the sole use of the intended recipient(s) and may contain information > that is confidential, privileged, or otherwise protected by law. Any > unauthorized use, disclosure, or distribution of this communication is > strictly prohibited. If you have received this communication in error, > please contact the sender immediately by reply email and destroy the > original and all copies of the email, including any attachment(s). >
