Thanks to all who replied on that thread. Worked like a champ! From: [email protected] [mailto:[email protected]] On Behalf Of Steve Whitcher Sent: Wednesday, May 25, 2016 12:33 PM To: [email protected] Subject: Re: [MDT-OSD] RE: Win10PE and Bitlocker Pre-Provisioning XTS AES Encryption
I think Toby has you on the right track there. Interesting though, the registry key listed there is slightly different from the one I'm using in my Win10 OSD TS. The one I'm using probably only works in 1511+. . . I have a step that runs "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" -t REG_DWORD -v EncryptionMethodWithXtsOs -d 7 -f" just before the pre-provision bitlocker step, forcing the use of XTS_AES256. On Wed, May 25, 2016 at 11:14 AM, Denzik, Josh <[email protected]<mailto:[email protected]>> wrote: I have not tried that. “Trying it now” From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Toby Beaupre Sent: Wednesday, May 25, 2016 11:49 AM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Win10PE and Bitlocker Pre-Provisioning XTS AES Encryption Have you tried adding the registry entry explained in this blog? https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/ Toby From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Denzik, Josh Sent: Wednesday, May 25, 2016 10:28 AM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] Win10PE and Bitlocker Pre-Provisioning XTS AES Encryption Here is the scenario: We are on SCCM 1602 with the latest Win10 ADK and our boot wims have been patched with hotfix KB3143760. We are having a lot of issues with the pre-provisioning step when deploying Windows 7 SP1 x86 and Windows 7 SP1 x64. We are getting a winload error after the machine reboots because the encryption algorithm has changed to (XTS AES) and Windows 7 is not happy with it. Our problem is we are on Windows 7. We have plans to migrate to Windows 10 in future but, it’s not a feasible solution at the moment. We have been using this command in place of the pre-canned “pre-provisioning” step. "X:\WINDOWS\system32\manage-bde.exe" -on %OSDisk% -EncryptionMethod AES128 –UsedSpaceOnly”. The command works for Windows 7 SP1 x64 on all the models and manufactures I have tested but not for x86. It won’t set the key protectors on the Lenovos and; on Dells it won’t even turn bitlocker on even though the command executes successfully in the task sequence. This article helps explains a bit more https://social.technet.microsoft.com/Forums/en-US/99c578c1-07f3-486a-b117-821a6f96ad71/windows-10-build-1511-xts-aes-cipher-strength-and-bitlocker-preprovisioning?forum=configmanagerosd . We have open ticket with MS support, but any suggestions or help would be awesome! Thanks Josh ________________________________ Confidentiality Note: This email message, including any attachment(s), is for the sole use of the intended recipient(s) and may contain information that is confidential, privileged, or otherwise protected by law. Any unauthorized use, disclosure, or distribution of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately by reply email and destroy the original and all copies of the email, including any attachment(s).
