How to change the default BitLocker encryption method and cipher strength when using the Enable BitLocker task in ConfigMgr 2007

How to change the default BitLocker encryption method and cipher strength when using the Enable BitLocker task in ConfigMgr 2007

  • Comments 3
  • Likes

imageBy default, the "Enable BitLocker" task of a System Center Configuration Manager 2007 Task Sequence defaults to an encryption method and cipher strength of "AES 128-bit with Diffuser". However, the "Enable BitLocker" task does not have any way of changing from the default encryption method and cipher strength to any of the other options:

AES 256-bit with Diffuser
AES 128-bit
AES 256-bit

Normally the BitLocker encryption method and cipher strength is controlled by Group Policy. This policy can be found in the Group Policy Editor (gpedit.msc) under the following node:

Computer Configuration --> Administrative Templates --> Windows Components --> BitLocker Drive Encryption

and under the following policy:

Choose drive encryption method and cipher strength (Windows 7 and Windows Server 2008 R2)
Configure encryption method (Windows Vista and Windows Server 2008)

The default setting in Windows for the BitLocker encryption method and cipher strength is "AES 128-bit with Diffuser". This setting can be changed using the above policy, however when running a ConfigMgr 2007 Task Sequence a policy that changes the default encryption method and cipher strength may have not been applied by the time that the "Enable BitLocker" task runs.

To ensure that the "Enable BitLocker" task encrypts the drive at the proper encryption method and cipher strength, add a "Run Command Line" task to the Task Sequence that sets the BitLocker encryption method and cipher strength correctly via a registry entry:

1. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node.

2. Right click on the affected Task Sequence and choose "Edit".

3. Click on the task immediately BEFORE the "Enable BitLocker" task.

4. Click on "Add" --> "General" --> "Run Command Line". This should add a "Run Command Line" task immediately before the "Enable BitLocker" task.

5. In the newly created "Run Command Line" task:

  • In the "Name:" text box, enter:

Set BitLocker Encryption Method and Cipher Strength

  • In the "Command line:" text box, enter in one of the following registry commands depending on the encryption method and cipher strength desired:

AES 256-bit with Diffuser
reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 2 /f

AES 128-bit
reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 3 /f

AES 256-bit
reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 4 /f

6. Click on the "OK" or "Apply" button to save the Task Sequence.

After the "Enable BitLocker" step has run and BitLocker has been enabled, the encryption method and cipher strength applied can be checked by running the following command at an elevated command prompt after the Task Sequence has completed:

Manage-bde –status <Drive_Letter>

where <Drive_Letter> is the drive letter of the disk where BitLocker was enabled (without the brackets <>). For example, to check the encryption method and cipher strength on the C: drive, run the command:

Manage-bde –status c:

The above command can also be used to check the current progress of the drive encryption and/or if the encryption has been completed on the drive.

Frank Rojas | System Center Support Escalation Engineer

clip_image001 clip_image002

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Know any good way to automatically back up the plain text password to a network share?  From what I can tell, the GPO only sets the default directory.  It does not actually back up the recovery password file.

  • Is it possible to make this change for Task Sequences which encrypt using MBAM?

    I would like our current TS to set the Encryption Type to 'AES 256-bit with Diffuser'.

  • Found a solution - Adding the following entry into the "AddMBAMRegEntries.reg" file (see article blogs.technet.com/.../using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx) changes the Encryption Method to 'AES 256-bit with Diffuser':

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]

    "EncryptionMethod"=dword:00000002