I built some machines to test upgrading from legacy Windows (7 & 8.1) to Windows 10 CB 1073. I created a standard UDI task sequence that could install Windows 7, 8.1 or 10 and built my first Windows 8.1 system. Instead of the normal windows setup screen after reboot, this occurred:
The disk appeared to be locked, but should not been locked since BitLocker pre-provision does not set up protectors. When I rebooted to Windows PE, the disk was unlocked. Next, I mounted the disk in Server 2016, it was unlocked, and everything looked just fine. I needed to get some testing done, I disabled the BitLocker step, and built out my test machines. This was fine for initial testing, but I needed to test with BitLocker enabled.
The problem was the default encryption type that Windows PE 1703 uses. It is not supported in legacy operation systems.
BitLocker has several encryption types it can use:
|Encryption Type||Registry setting||Notes|
|AES 128 with Diffuser||1||Default Windows 7, Deprecated in Windows 8|
|AES 256 with Diffuser||2||Deprecated in Windows 8|
|AES 128||3||Default Window 8|
|XTS-AES 128||5||Default Windows 10, introduced in Windows 10|
Note: Specifying 1 or 2 will use AES without diffuser in Windows 8 and Windows 10.
The default encryption type can be changed by setting HKLM\Software\Policies\Microsoft\FVE\EncryptionMethod before the Pre-Provision step in the task sequence. The step below sets the encryption type to AES 256.
The modified task sequence completed and the systems were encrypted with AES 256 encryption.
This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services.