Windows versions prior Windows 10 build 1511 fail to start after "Setup Windows and Configuration Manager" step when Pre-Provision BitLocker is used with Windows PE 10.0.586.0 (1511)


Consider following scenario:

You have installed the Windows ADK 1511 and applied KB3143760 to your boot images.

You want to install a Windows version prior Windows 10 build 1511 using your new 1511 Boot Images. Within your Task Sequence you leverage the built in "Pre-Provision BitLocker" Task Sequence Step to enable "Used space only encryption" which speeds up BitLocker drive encryption. Everything seems to work like usual but after the "Setup Windows and Configuration Manager" step your Device starts with a Recovery Screen "There are no more BitLocker recovery options on your PC" like in screenshot below.

Affected Operating System Versions are:
Windows 7
Windows 8.x
Windows 10 Build 10240 (which includes Windows 10 LTSB 2015)

The reason for this is quite simple: For security improvements the default encryption in Windows 10 build 1511 has been changed from AES 128 to XTS-AES 128. This encryption method is not known by OS versions released prior 1511 which causes the boot problem.
More information: What's new in BitLocker?

With command support enabled this can be verified using manage-bde.exe -status command in Windows PE Phase.

The fix is very simple and requires a "Run Command line step"  with "reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 3 /f" before your "Pre-Provision BitLocker" Task Sequence Step.

Disable 64-Bit file system redirection is only required if a x64 Boot Image is used.

If you prefer other encryption methods like AES 256 please check the following table or:
How to change the default BitLocker encryption method and cipher strength when using the Enable BitLocker task in ConfigMgr 2007.

Value

Encryption Method

Meaning and Run Command Line syntax

1

AES_128_WITH_DIFFUSER

The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm enhanced with a diffuser layer, using an AES key size of 128 bits.
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 1 /f

2

AES_256_WITH_DIFFUSER

The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm enhanced with a diffuser layer, using an AES key size of 256 bits.
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 2 /f

3

AES_128

The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an AES key size of 128 bits.
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 3 /f

4

AES_256

The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an AES key size of 256 bits.
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 4 /f

6

XTS_AES128 *

The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an XTS-AES key size of 128 bits. – This is the default of Windows PE 10.0.586.0 (1511 Release)
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 6 /f

7

XTS_AES256 *

The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an XTS-AES key size of 256 bits.

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 7 /f

 

 

* Only supported for deployments of Windows 10 images build version 1511 or higher

Your OS Deployment will work now and encryption method is again set to AES 128 like it used to be in older Windows PE releases.

Wilhelm J. Kocher
Senior PFE – EMEA

Comments (12)

  1. justin says:

    Another thing to keep in mind is the fact that this new default encryption also breaks the "Pre-Provision Bitlocker" step when used with Windows 10 Enterprise 2015 LTSB, as the build of this version is prior to 1511.

  2. Thanks a lot Justin for pointing this out. I changed the post to reflect this correctly. Windows 10 Enterprise 2015 LTSB is build version 10.0.240 which is older than 10.0.586 where this new encryption method was introduced. It fails the same way like
    Windows 7 and Windows 8.1.

  3. anonymouscommenter says:

    L’équipe du support Configuration Manager a publié un billet concernant un problème qui peut survenir avec System Center Configuration Manager si vous installez une version antérieure à Windows 10 1511 avec l.

  4. chatzki says:

    Vielen Dank, Wilhelm! Now it works!

  5. Tobias Staley says:

    Unfortunately this fix did not work for me. The steps you show don’t exist for me, like pre-provision BitLocker. Is that because I am running a newer MDT (Version: 6.3.8330.1000), or Windows 10PE (based on version 1607 released in July 2016)? So its difficult knowing where to place you task as a result. I have placed it ahead of ‘Enable BitLocker (Offline)’ in the ‘Pre-Install’ and ‘State Restore’ phases . As both don’t work, its likely the wrong place or the mdt process has changed. A simiiar Windows 10 build process works fine so I think the encryption type is incompatible with Windows 8,1.

    1. Frank Rojas says:

      The issue has nothing to do with MDT or MDT integration. The Pre-Provision BitLocker task is a ConfigMgr task that can be added to any Task Sequence via the Add –> Disks menu. However if you do not even have the Pre-Provision BitLocker task in your Task Sequence then you should not be running into the issue described in this article. It is the Pre-Provision BitLocker task that sets the encryption options that are not supported on older OSes. If you never run the Pre-Provision BitLocker task, then it never sets the encryption options, and you shouldn’t run into the issue. I am also not sure what the “Enable BitLocker (Offline)” task is. This is not a task that exists in either ConfigMgr or MDT integration. I also checked the current versions of MDT templates for ConfigMgr and do not see any “Enable BitLocker (Offline)” task. The MDT templates also use the ConfigMgr Pre-Provision BitLocker task. I suspect that you are using an MDT Task Sequence based on a template from a very old version of MDT. Anytime you upgrade MDT you should generate not only new MDT Toolkit Package and Settings packages, but also new MDT Task Sequences as the templates change and are updated between versions.

  6. Vinod says:

    Hi,

    Do i need use the above steps if we use SCCM 1610 for Windows 7 to Windows 10 migration process ?

    1. Frank Rojas says:

      Can you please provide more information? Are you doing a Refresh Task Sequence or an In-Place Upgrade Task Sequence? Are you starting the Task Sequence in the original Windows 7 OS via either Software Center or a required deployment?

      1. Vinod says:

        Hi,

        It’s a refresh task sequence and using it as Required deployed. We have Bitlocker and MBAM already running on Windows 7 devices and we would do the USMT with Wipe and build process, Bitlocker and MBAM too during the WIN 10 migration

  7. Felyrion says:

    Thanks a lot for posting this! Our Win 8 deployment was stuck on this screen after preparing for Windows 10 deployment, and we couldn’t figure out what the difference was between the old boot image and the new! Lifesaver 🙂

  8. Nicolas Moreno says:

    When using WinPE v 10.0.14393 (1607) to deploy Windows 7 this only works when setting the following registry key:
    reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsFdv  /t REG_DWORD /d 3 /f

    EncryptionMethodWithXtsFdv is the correct key to use in WinPE 1607 to set the encryption method

  9. Setting the value to 3 got rid of the error in our environment, but Windows Setup took hours and hours “installing devices”. I used a value of 1 (AES_128_WITH_DIFFUSER) and now we’re up and running again.

Skip to main content