none
Bitlocker Hardware Encryption Won't Enable on a .wim Image

    Question

  • Bitlocker hardware encryption with edrive won't enable to a myimage.wim image.

    It goes directly to software encryption.

    It worked once using Macrium reflect, but never again.

    I used the MS recommended way to apply it to an image and that reverts to software encryption too!

    I am using an Intel Pro 2500 series SSD drive. Hardware encryption works on a fresh DVD install test.

    I then do the following:

    1. I clear the TPM in BitLocker, in BIOS too, and turn-off BitLocker,

    2. Boot using a PE drive and DISKPART the drive with the clean command

    3. Use the Intel SSD tools to remove OPAL activation with a -psid_revert

    (I have tried reversing steps 2 and 3 too)

    4. Do a fresh 8.1 PRO install

    5. With no updating or anything I use sysprep to OOBE and generalize with a shutdown

    6. Boot to the PE drive and use dism to apply the Capture-Image script

    7. Use DISKPART to clean the drive

    (have even used a brand new drive too)

    8. Use CreatePartitions-UEFI.txt script to create the partitions

    9. Use ApplyImage.bat script to apply the .wim image

    10. Start the OS

    11.Turn BitLocker on and it reverts right to software encryption

    WHAT AM I DOING WRONG? AM I DOING ANYTHING WRONG?

    Here is how to do it right out of the TechNet article "Encrypted Hardrive" https://technet.microsoft.com/en-us/library/hh831627.aspx

    Disk Duplication: This deployment method involves use of a previously configured Windows 8 or Windows Server 2012. image and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using Windows 8 or Windows Server 2012.setup tools for this configuration to work. Images made using disk duplicators will not work.

    • Edited by Bitchlocker Tuesday, February 2, 2016 11:59 PM
    Tuesday, February 2, 2016 11:56 PM

Answers

  • I solved my own issue with no help from Microsoft. In fact, if you follow their directions, and use their tools, you will never be able to image multiple computers with BitLocker hardware encryption.

    Solution:

    1. Setup a Windows 8.1 Pro system the way you want.

    2. Create an image with Macrium Reflect.

    3. On an edrive enabled OPAL 2.0 SSD drive do a fresh install with an 8.1 Pro DVD. Use this key for installing: XHQ8N-C3MCJ-RQXB6-WCHYG-C9WKB

    4. Turn on Bitlocker which will automatically go to hardware encryption. Save the key of course.

    5. Suspend BitLocker

    6. Apply the image you created using Macrium Reflect and overwrite the existing BitLocker suspended image.

    When it restarts your image will be encrypted with BitLocker hardware encryption.

    Repeat 3 - 6 for each machine.

    I was unsuccessful at Sysprepping the the Macrium image before applying.

    Sysprep can be done after it's all done, I think. I haven't tried that yet.

    I suppose you can delete the user, rename the computer, and activate Windows after-the-fact.

    If you follow Microsoft's "Disk Duplication" procedure you will never be able to accomplish BitLocker hardware encryption to the imaged machine.

    You can't "apply" a Windows Image without "partitioned using Windows 8 setup tools for this configuration to work" first.

    The Create-Partitions-UEFI.txt script will clean the drive which guarantees automatic failure after using "ApplyImage.bat

    You will never be able to enable BitLocker hardware encryption the Microsoft way.

    Wednesday, February 3, 2016 11:46 PM

All replies

  • I solved my own issue with no help from Microsoft. In fact, if you follow their directions, and use their tools, you will never be able to image multiple computers with BitLocker hardware encryption.

    Solution:

    1. Setup a Windows 8.1 Pro system the way you want.

    2. Create an image with Macrium Reflect.

    3. On an edrive enabled OPAL 2.0 SSD drive do a fresh install with an 8.1 Pro DVD. Use this key for installing: XHQ8N-C3MCJ-RQXB6-WCHYG-C9WKB

    4. Turn on Bitlocker which will automatically go to hardware encryption. Save the key of course.

    5. Suspend BitLocker

    6. Apply the image you created using Macrium Reflect and overwrite the existing BitLocker suspended image.

    When it restarts your image will be encrypted with BitLocker hardware encryption.

    Repeat 3 - 6 for each machine.

    I was unsuccessful at Sysprepping the the Macrium image before applying.

    Sysprep can be done after it's all done, I think. I haven't tried that yet.

    I suppose you can delete the user, rename the computer, and activate Windows after-the-fact.

    If you follow Microsoft's "Disk Duplication" procedure you will never be able to accomplish BitLocker hardware encryption to the imaged machine.

    You can't "apply" a Windows Image without "partitioned using Windows 8 setup tools for this configuration to work" first.

    The Create-Partitions-UEFI.txt script will clean the drive which guarantees automatic failure after using "ApplyImage.bat

    You will never be able to enable BitLocker hardware encryption the Microsoft way.

    Wednesday, February 3, 2016 11:46 PM
  • Hi,

    Your solution is very helpful to me. Thank you for your sharing.

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, February 10, 2016 10:11 AM
    Moderator