By default, the "Enable BitLocker" task of a System Center Configuration Manager 2007 Task Sequence defaults to an encryption method and cipher strength of "AES 128-bit with Diffuser". However, the "Enable BitLocker" task does not have any way of changing from the default encryption method and cipher strength to any of the other options:
AES 256-bit with Diffuser
AES 128-bit
AES 256-bit
Normally the BitLocker encryption method and cipher strength is controlled by Group Policy. This policy can be found in the Group Policy Editor (gpedit.msc) under the following node:
Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption
and under the following policy:
Choose drive encryption method and cipher strength (Windows 7 and Windows Server 2008 R2)
Configure encryption method (Windows Vista and Windows Server 2008)
The default setting in Windows for the BitLocker encryption method and cipher strength is "AES 128-bit with Diffuser". This setting can be changed using the above policy, however when running a ConfigMgr 2007 Task Sequence a policy that changes the default encryption method and cipher strength may have not been applied by the time that the "Enable BitLocker" task runs.
To ensure that the "Enable BitLocker" task encrypts the drive at the proper encryption method and cipher strength, add a "Run Command Line" task to the Task Sequence that sets the BitLocker encryption method and cipher strength correctly via a registry entry:
1. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" –> "Operating System Deployment" –> "Task Sequences" node.
2. Right click on the affected Task Sequence and choose "Edit".
3. Click on the task immediately BEFORE the "Enable BitLocker" task.
4. Click on "Add" –> "General" –> "Run Command Line". This should add a "Run Command Line" task immediately before the "Enable BitLocker" task.
5. In the newly created "Run Command Line" task:
In the "Name:" text box, enter: Set BitLocker Encryption Method and Cipher Strength
In the "Command line:" text box, enter in one of the following registry commands depending on the encryption method and cipher strength desired:
- AES 256-bit with Diffuser
reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod /t REG_DWORD /d 2 /f
AES 128-bit
reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod /t REG_DWORD /d 3 /f
AES 256-bit
reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod /t REG_DWORD /d 4 /f
6. Click on the "OK" or "Apply" button to save the Task Sequence.
After the "Enable BitLocker" step has run and BitLocker has been enabled, the encryption method and cipher strength applied can be checked by running the following command at an elevated command prompt after the Task Sequence has completed:
Manage-bde –status <Drive_Letter>
where <Drive_Letter> is the drive letter of the disk where BitLocker was enabled (without the brackets <>). For example, to check the encryption method and cipher strength on the C: drive, run the command:
Manage-bde –status c:
The above command can also be used to check the current progress of the drive encryption and/or if the encryption has been completed on the drive.
Author of this post: Frank Rojas | System Center Support Escalation Engineer