Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.
By default, the "Enable BitLocker" task of a ConfigMgr 2007 Task Sequence defaults the encryption method and cipher strength to "AES 128-bit with Diffuser". However, the "Enable BitLocker" task does not have any way of changing from the default encryption method and cipher strength to any of the other options:
AES 256-bit with Diffuser
AES 128-bit
AES 256-bit
Normally the BitLocker encryption method and cipher strength is controlled by Group Policy. This policy can be found in the Group Policy Editor (gpedit.msc) under the following node:
Computer Configuration --> Administrative Templates --> Windows Components --> BitLocker Drive Encryption
and under the following policy:
Choose drive encryption method and cipher strength (Windows 7 and Windows Server 2008 R2)
Configure encryption method (Windows Vista and Windows Server 2008)
The default setting in Windows for the BitLocker encryption method and cipher strength is "AES 128-bit with Diffuser". This setting can be changed using the above policy. However, when running a ConfigMgr 2007 Task Sequence, a policy that changes the default encryption method and cipher strength may have not been applied by the time that the "Enable BitLocker" task runs.
To ensure that "Enable BitLocker" task encrypts the drive at the proper encryption method and cipher strength, add a "Run Command Line" task to the Task Sequence that sets the BitLocker encryption method and cipher strength correctly via a registry entry:
In the "Name:" text box, enter:
Set BitLocker Encryption Method and Cipher Strength
In the "Command line:" text box, enter in one of the following registry commands depending on the encryption method and cipher strength desired:
AES 256-bit with Diffuser
reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 2 /f
AES 128-bit
reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 3 /f
AES 256-bit
reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 4 /f
After the "Enable BitLocker" step has run and BitLocker has been enabled, the encryption method and cipher strength applied can be checked by running the following command at an elevated command prompt after the Task Sequence has completed:
Manage-bde –status <Drive_Letter>
where <Drive_Letter> is the drive letter of the disk where BitLocker was enabled (without the brackets <>). For example, to check the encryption method and cipher strength on the C: drive, run the command:
Manage-bde –status c:
The above command can also be used to check the current progress of the drive encryption and/or if the encryption has been completed on the drive.
Keywords: vkball, kb