LABDEMO

,

Windows 10 OSD: Enabling BitLocker XTS-AES 256 on Multiple Drives with Full Disk Encryption

Scenario: A client requires their Windows 10 drives C: and D: Encryption Method is XTS-AES 256, fully encrypted and BitLocker Recovery key stored in Active Directory. The steps below will show how to set it up in the task sequence. Set Windows 10 Registry Settings After post OS install create a group called BitLocker Registry Settings, we…

Jay-R Barrios
1–2 minutes
, ,

Scenario: A client requires their Windows 10 drives C: and D: Encryption Method is XTS-AES 256, fully encrypted and BitLocker Recovery key stored in Active Directory.

The steps below will show how to set it up in the task sequence.

Set Windows 10 Registry Settings

After post OS install create a group called BitLocker Registry Settings, we can’t wait until the GPO pushes down during the OSD so we have to get the following registries into Windows 10.

Set EncryptionMethod

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f

BT_Reg_001

Set EncryptionMethodWithXtsOs

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsOs /t REG_DWORD /d 7 /f

BT_Reg_002

Set EncryptionMethodWithXtsFdv

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsFdv /t REG_DWORD /d 7 /f

BT_Reg_003

Set EncryptionMethodWithXtsRdv

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsRdv /t REG_DWORD /d 7 /f

BT_Reg_004

Set OSEncryptionType

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v OSEncryptionType /t REG_DWORD /d 1 /f

BT_Reg_005

 

Enabling BitLocker

At the last part of the Task Sequence create a group called Enable BitLocker

Set the TPM and PIN

Set BitLocker PIN

manage-bde -protectors -add C: -TPMAndPIN 1234567890

BL_0001

Enabled BitLocker in Drive C:, this should be enabled first, the recovery key will automatically be stored in Active Directory.

Enable BitLocker in Drive C

manage-bde -on C: -rp

BL_0002

Windows requires a reboot to fully enable BitLocker in drive C:, however to let the ZTI continue without user intervention we’ll disable Windows to ask for a BitLocker PIN just once.

Disable BitLocker in Drive C for Single Reboot

manage-bde -protectors -disable C:

BL_0003

Enable BitLocker in Drive D

manage-bde -on D: -rp

BL_0004

We need to set BitLocker Autounlock in D:, else every time a user access this drive it will be prompt of a key.

Set BitLocker Autounlock in Drive D

manage-bde -autounlock -enable d:

BL_0005

BitLocker verification

After the OSD is finished, login to Windows and launch the command prompt and type manage-bde -status and verify that the BitLocker settings is applied.

Manage-BDE_Stat

2 responses to “Windows 10 OSD: Enabling BitLocker XTS-AES 256 on Multiple Drives with Full Disk Encryption”

  1. Mathieu Ait Azzouzene Avatar
    Mathieu Ait Azzouzene

    As far as I know the HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethod registry value does not accept “7” but only 1,2,3 or 4.

    Reply
    1. Mathieu Ait Azzouzene Avatar
      Mathieu Ait Azzouzene

      My bad, it appears 7 is an acceptable value

      Reply

Leave a Reply

Trending

Discover more from LABDEMO

Subscribe now to keep reading and get access to the full archive.

Continue reading