//
you're reading...
BitLocker, Windows 10

Windows 10 OSD: Enabling BitLocker XTS-AES 256 on Multiple Drives with Full Disk Encryption

Posted by 2 Comments
Filed Under  , ,

Scenario: A client requires their Windows 10 drives C: and D: Encryption Method is XTS-AES 256, fully encrypted and BitLocker Recovery key stored in Active Directory.

The steps below will show how to set it up in the task sequence.

Set Windows 10 Registry Settings

After post OS install create a group called BitLocker Registry Settings, we can’t wait until the GPO pushes down during the OSD so we have to get the following registries into Windows 10.

Set EncryptionMethod

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f

BT_Reg_001

Set EncryptionMethodWithXtsOs

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsOs /t REG_DWORD /d 7 /f

BT_Reg_002

Set EncryptionMethodWithXtsFdv

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsFdv /t REG_DWORD /d 7 /f

BT_Reg_003

Set EncryptionMethodWithXtsRdv

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsRdv /t REG_DWORD /d 7 /f

BT_Reg_004

Set OSEncryptionType

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v OSEncryptionType /t REG_DWORD /d 1 /f

BT_Reg_005

 

Enabling BitLocker

At the last part of the Task Sequence create a group called Enable BitLocker

Set the TPM and PIN

Set BitLocker PIN

manage-bde -protectors -add C: -TPMAndPIN 1234567890

BL_0001

Enabled BitLocker in Drive C:, this should be enabled first, the recovery key will automatically be stored in Active Directory.

Enable BitLocker in Drive C

manage-bde -on C: -rp

BL_0002

Windows requires a reboot to fully enable BitLocker in drive C:, however to let the ZTI continue without user intervention we’ll disable Windows to ask for a BitLocker PIN just once.

Disable BitLocker in Drive C for Single Reboot

manage-bde -protectors -disable C:

BL_0003

Enable BitLocker in Drive D

manage-bde -on D: -rp

BL_0004

We need to set BitLocker Autounlock in D:, else every time a user access this drive it will be prompt of a key.

Set BitLocker Autounlock in Drive D

manage-bde -autounlock -enable d:

BL_0005

BitLocker verification

After the OSD is finished, login to Windows and launch the command prompt and type manage-bde -status and verify that the BitLocker settings is applied.

Manage-BDE_Stat

Unknown's avatar

About Jay-R Barrios

EUC Consultant | Modern Endpoint Management | Intune | SCCM | Windows | Community Leader | Microsoft MVP Alumnai

Discussion

2 thoughts on “Windows 10 OSD: Enabling BitLocker XTS-AES 256 on Multiple Drives with Full Disk Encryption

  1. Mathieu Ait Azzouzene's avatar

    As far as I know the HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethod registry value does not accept “7” but only 1,2,3 or 4.

    Posted by Mathieu Ait Azzouzene | November 7, 2019, 6:26 pm
    Reply to this comment

Leave a comment

Microsoft Most Valuable Professional (MVP) Alumni

Philippine Windows Users Group

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 40 other subscribers