Close Menu
    Facebook X (Twitter) Instagram
    Trending
    • Successful Adoption of a “Cloud First” Strategy
    • Speaking at Nordic Virtual Summit
    • Workplace Ninja User Group Denmark February Meetup
    • Workplace Ninja User Group Denmark Meetup – May 2022
    • Workplace Ninja User Group Denmark Meetup – April 2022
    • Speaking at Modern Endpoint Management Summit 2022
    • Speaking at Nordic Virtual Summit 2022 – 3nd Edition
    • CoLabora Recordings – January 2022
    RONNIPEDERSEN.COM
    • Home
    • Enterprise Mobility
      • Configuration Manager
      • Identity and Access
      • Information Protection
      • Intune
    • Cloud and Data Center
      • Data Center Management
      • Group Policy
      • Enterprise Security
      • Hyper-V
      • PowerShell
    • Guides
    • Webcasts
    • Links
    • About
      • Contact me
      • Disclaimer
    RONNIPEDERSEN.COM
    You are at:Home»Uncategorized»How to change the default BitLocker encryption method and cipher strength when using the Enable BitLocker task in ConfigMgr 2007

    How to change the default BitLocker encryption method and cipher strength when using the Enable BitLocker task in ConfigMgr 2007

    0
    By Ronni Pedersen on November 12, 2010 Uncategorized

    By default, the "Enable BitLocker" task of a System Center Configuration Manager 2007 Task Sequence defaults to an encryption method and cipher strength of "AES 128-bit with Diffuser". However, the "Enable BitLocker" task does not have any way of changing from the default encryption method and cipher strength to any of the other options:

    AES 256-bit with Diffuser
    AES 128-bit
    AES 256-bit

    Normally the BitLocker encryption method and cipher strength is controlled by Group Policy. This policy can be found in the Group Policy Editor (gpedit.msc) under the following node:

    Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption

    and under the following policy:

    Choose drive encryption method and cipher strength (Windows 7 and Windows Server 2008 R2)
    Configure encryption method (Windows Vista and Windows Server 2008)

    The default setting in Windows for the BitLocker encryption method and cipher strength is "AES 128-bit with Diffuser". This setting can be changed using the above policy, however when running a ConfigMgr 2007 Task Sequence a policy that changes the default encryption method and cipher strength may have not been applied by the time that the "Enable BitLocker" task runs.

    To ensure that the "Enable BitLocker" task encrypts the drive at the proper encryption method and cipher strength, add a "Run Command Line" task to the Task Sequence that sets the BitLocker encryption method and cipher strength correctly via a registry entry:

    1. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" –> "Operating System Deployment" –> "Task Sequences" node.

    2. Right click on the affected Task Sequence and choose "Edit".

    3. Click on the task immediately BEFORE the "Enable BitLocker" task.

    4. Click on "Add" –> "General" –> "Run Command Line". This should add a "Run Command Line" task immediately before the "Enable BitLocker" task.

    5. In the newly created "Run Command Line" task:

    In the "Name:" text box, enter: Set BitLocker Encryption Method and Cipher Strength

    In the "Command line:" text box, enter in one of the following registry commands depending on the encryption method and cipher strength desired:

      AES 256-bit with Diffuser
      reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod  /t REG_DWORD /d 2 /f

      AES 128-bit
      reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod  /t REG_DWORD /d 3 /f

      AES 256-bit
      reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod  /t REG_DWORD /d 4 /f

    6. Click on the "OK" or "Apply" button to save the Task Sequence.

    After the "Enable BitLocker" step has run and BitLocker has been enabled, the encryption method and cipher strength applied can be checked by running the following command at an elevated command prompt after the Task Sequence has completed:

    Manage-bde –status <Drive_Letter>

    where <Drive_Letter> is the drive letter of the disk where BitLocker was enabled (without the brackets <>). For example, to check the encryption method and cipher strength on the C: drive, run the command:

    Manage-bde –status c:

    The above command can also be used to check the current progress of the drive encryption and/or if the encryption has been completed on the drive.

     

    Author of this post: Frank Rojas | System Center Support Escalation Engineer

    Original Port: http://blogs.technet.com/b/configurationmgr/archive/2010/08/10/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx

    • Tweet
    • Share 0
    • +1
    • LinkedIn 0

    Related

    Ronni Pedersen
    • Website
    • Facebook
    • X (Twitter)
    • LinkedIn

    My name is Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark. My primary focus is Enterprise Client Management solutions, based on technologies like AzureAD, Intune, EMS and System Center Configuration Manager. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility.

    Related Posts

    Successful Adoption of a “Cloud First” Strategy

    Workplace Ninja User Group Denmark Meetup – May 2022

    Managing Extended Security Updates for Windows 7 using Microsoft Endpoint Manager

    Leave A Reply Cancel Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Follow
    APENTO

    Follow APENTO here:

    Subscribe to Blog via Email

    Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    About
    My name i s Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark. My primary focus is Endpoint Management and Security, based on Microsoft technologies. I'm also a Microsoft Certified Trainer and a dual Microsoft MVP in both Security and Windows.
    Recent Posts
    • Successful Adoption of a “Cloud First” Strategy
    • Speaking at Nordic Virtual Summit
    • Workplace Ninja User Group Denmark February Meetup
    • Workplace Ninja User Group Denmark Meetup – May 2022
    • Workplace Ninja User Group Denmark Meetup – April 2022
    Archives
    TOP POSTS
    • Find the TimeZoneName for your SCCM/MDT Deployments
    • SCCM: Failed to Get Client Identity (80004005)
    • SCCM 2012 R2: Where is the SMSTS.log located?
    • Active Directory Based Activation in an multi domain environment
    • Missing “UserType” attribute in Azure AD
    RECENT COMMENTS
    • Sebi on Prepare for Co-Management: Migrate Intune Devices without user affinity
    • Vadim P on SCCM: Failed to Get Client Identity (80004005)
    • TM on Active Directory Based Activation in an multi domain environment
    • unkown on Setting OSDComputerName using CustomSettings.ini
    • TJ Scott on Setting OSDComputerName using CustomSettings.ini
    DISCLAIMER
    The content on this website is presented "as-is" with no guarantees. The use of scripts from this website is at your own risk. Always test before putting something in production! Opinions expressed are my own.
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.