How to change the default BitLocker encryption method and cipher strength when using the Enable BitLocker task in ConfigMgr 2007

0

By default, the "Enable BitLocker" task of a System Center Configuration Manager 2007 Task Sequence defaults to an encryption method and cipher strength of "AES 128-bit with Diffuser". However, the "Enable BitLocker" task does not have any way of changing from the default encryption method and cipher strength to any of the other options:

AES 256-bit with Diffuser
AES 128-bit
AES 256-bit

Normally the BitLocker encryption method and cipher strength is controlled by Group Policy. This policy can be found in the Group Policy Editor (gpedit.msc) under the following node:

Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption

and under the following policy:

Choose drive encryption method and cipher strength (Windows 7 and Windows Server 2008 R2)
Configure encryption method (Windows Vista and Windows Server 2008)

The default setting in Windows for the BitLocker encryption method and cipher strength is "AES 128-bit with Diffuser". This setting can be changed using the above policy, however when running a ConfigMgr 2007 Task Sequence a policy that changes the default encryption method and cipher strength may have not been applied by the time that the "Enable BitLocker" task runs.

To ensure that the "Enable BitLocker" task encrypts the drive at the proper encryption method and cipher strength, add a "Run Command Line" task to the Task Sequence that sets the BitLocker encryption method and cipher strength correctly via a registry entry:

1. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" –> "Operating System Deployment" –> "Task Sequences" node.

2. Right click on the affected Task Sequence and choose "Edit".

3. Click on the task immediately BEFORE the "Enable BitLocker" task.

4. Click on "Add" –> "General" –> "Run Command Line". This should add a "Run Command Line" task immediately before the "Enable BitLocker" task.

5. In the newly created "Run Command Line" task:

In the "Name:" text box, enter: Set BitLocker Encryption Method and Cipher Strength

In the "Command line:" text box, enter in one of the following registry commands depending on the encryption method and cipher strength desired:

    AES 256-bit with Diffuser
    reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod  /t REG_DWORD /d 2 /f

    AES 128-bit
    reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod  /t REG_DWORD /d 3 /f

    AES 256-bit
    reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod  /t REG_DWORD /d 4 /f

6. Click on the "OK" or "Apply" button to save the Task Sequence.

After the "Enable BitLocker" step has run and BitLocker has been enabled, the encryption method and cipher strength applied can be checked by running the following command at an elevated command prompt after the Task Sequence has completed:

Manage-bde –status <Drive_Letter>

where <Drive_Letter> is the drive letter of the disk where BitLocker was enabled (without the brackets <>). For example, to check the encryption method and cipher strength on the C: drive, run the command:

Manage-bde –status c:

The above command can also be used to check the current progress of the drive encryption and/or if the encryption has been completed on the drive.

 

Author of this post: Frank Rojas | System Center Support Escalation Engineer

Original Port: http://blogs.technet.com/b/configurationmgr/archive/2010/08/10/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx

About Author

My name is Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark. My primary focus is Enterprise Client Management solutions, based on technologies like AzureAD, Intune, EMS and System Center Configuration Manager. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility.

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.