Deploying legacy Windows with Configuration Manager 1702 and Windows ADK 1703

I built some machines to test upgrading from legacy Windows (7 & 8.1) to Windows 10 CB 1073.  I created a standard UDI task sequence that could install Windows 7, 8.1 or 10 and built my first Windows 8.1 system.  Instead of the normal windows setup screen after reboot, this occurred:

The disk appeared to be locked, but should not been locked since BitLocker pre-provision does not set up protectors.  When I rebooted to Windows PE, the disk was unlocked.  Next, I mounted the disk in Server 2016, it was unlocked, and everything looked just fine.  I needed to get some testing done, I disabled the BitLocker step, and built out my test machines. This was fine for initial testing, but I needed to test with BitLocker enabled.

The problem was the default encryption type that Windows PE 1703 uses. It is not supported in legacy operation systems.

BitLocker has several encryption types it can use:

Encryption Type Registry setting Notes
AES 128 with Diffuser 1 Default Windows 7, Deprecated in Windows 8
AES 256 with Diffuser 2 Deprecated in Windows 8
AES 128 3 Default Window 8
AES 256 4
XTS-AES 128 5 Default Windows 10, introduced in Windows 10
XTS-AES 256 6

Note: Specifying 1 or 2 will use AES without diffuser in Windows 8 and Windows 10.

The default encryption type can be changed by setting HKLM\Software\Policies\Microsoft\FVE\EncryptionMethod before the Pre-Provision step in the task sequence.  The step below sets the encryption type to AES 256.

The modified task sequence completed and the systems were encrypted with AES 256 encryption.

This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services.  

Disclaimer: The information on this site is provided "AS IS"? with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use