Enhance task sequence step preprovision bitlocker with encryptionmode options
For MBAM clients I want to use preprovisioned bitlocker volumes.
A requirement is to use the AES256 encryption mode.The pre provision bitlocker step defaults to aes128, and cannot be changed in the step itself.
I now have a extra step before the preprovision bitlocker step with this command:
cmd /c reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 4 /f
Thanks to this website:
https://blog.alschneiter.com/2017/05/03/change-bitlocker-drive-encryption-to-xts-aes-256-during-osd-with-configmgr/


Updating status to completed, see https://docs.microsoft.com/en-us/mem/configmgr/core/understand/find-help#send-a-suggestion for an explanation of each status value.
This is the opt-in phase of our 2006 release (fast ring) is now live. Customers can opt-in and then download 2006 through their Admin Console now.
Blog: https://techcommunity.microsoft.com/t5/configuration-manager-blog/update-2006-for-microsoft-endpoint-configuration-manager-current/ba-p/1569562
Docs: https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006
Support Information: https://aka.ms/cmcssreleaseinfo
3 comments
-
Niall C. Brady commented
To add to this we'd like to see all encryption options available in BitLocker Management today added in this step via a drop down type of scenario (or radio buttons) so you could match the bitlocker management policy deployed to your clients and have the computers compliant once OSD completes.
-
Nathan Blasac commented
also the ability to select between used space only and full disk would be excellent.
-
Doug commented
Currently in OSD you cannot without an additional step set up set non defaults for encryption. Please add options for the OSD steps pre provision or enable bitlocker to have options for non default encryption like xts-aes 256.