none
Bitlocker Full disk during Windows 8 task sequence RRS feed

  • Question

  • I have a windows 8 task sequence that is very similar to our Windows 7 task sequence, however after it completes the imaging process the drive is not fully encrypted, it says Used Space Only Encrypted.  I have added the following registry  entries Prior to the encryption process and still get Used Space Only

    reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod  /t REG_DWORD /d 4 /f

    reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v OSEncryptionType  /t REG_DWORD /d 1 /f

    I have applied the wim manually and setup the Bitlocker partition and ran manage-bde -on c: /s and it fully encrypts without issue. 

    Any advice or assistance with getting the disk to fully encrypt during a task sequence would be much appreciated. 

    Thanks.


    James Snarey

    Friday, May 3, 2013 1:35 PM

Answers

  • Solved the issue.  In order to fix this we needed to disable the built in enable bitlocker task and run manage-bde to enable bitlocker after setting all our specific settings in the task sequence.  We have tested several machines and it is not encrypting full disk instead of used space only.

    Thanks for everyone's suggestions and comments. 

     

    James Snarey

    • Marked as answer by James Snarey Tuesday, May 14, 2013 3:22 PM
    Tuesday, May 14, 2013 3:22 PM

All replies

  • I think that's "by design", it makes the encryption process much faster during OSD. It's a new feature.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Friday, May 3, 2013 1:56 PM
  • I agree, its a great new feature, however trying to explain to our security department that the drive is fully encrypted, but unused parts of the drive are not encrypted... is a tough sell

    Do you know if there is any documentation that will help sell my case that this is acceptable/secure?  

    Some are hesitant because the whole drive is not encrypted, I tried to explain that the space with sensitive data is encrypted.

    Thanks


    James Snarey


    Friday, May 3, 2013 2:06 PM
  • I think that's "by design", it makes the encryption process much faster during OSD. It's a new feature.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Thanks for you response John. 

    James Snarey

    Friday, May 3, 2013 2:10 PM
  • what you are seeing is called Pre Provisioning of bitlocker where the used space is bitlockered, you can change this behaviour to force the whole drive to be encrypted using a GPO, see here:-

    New Group Policy settings for encryption type

    You can use Group Policy settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive. Group Policy settings for BitLocker Drive Encryption are located under the \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path of Group Policy Editor

    Computer Policy and Domain Computer Policy.

    cheers

    niall.



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    • Proposed as answer by John Marcum Friday, May 3, 2013 4:54 PM
    Friday, May 3, 2013 2:46 PM
    Moderator
  • what you are seeing is called Pre Provisioning of bitlocker where the used space is bitlockered, you can change this behaviour to force the whole drive to be encrypted using a GPO, see here:-

    New Group Policy settings for encryption type

    You can use Group Policy settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive. Group Policy settings for BitLocker Drive Encryption are located under the \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path of Group Policy Editor

    Computer Policy and Domain Computer Policy.

    cheers

    niall.



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    Is there another way to do this without pre-provisioning bitlocker? 

    James Snarey

    Friday, May 3, 2013 4:56 PM
  • Thanks for you Comments Niall. 

    When does the task check the GPO? From what I have read, it cant check group policy during the task and happens when the user logs in for the first time.  Am I missing something?

    Another suggestion I received was to set the encryption for the machine in local policy before capturing the WIM.  I made the change, captured the WIM and I am still getting used space only encryption.



    James Snarey

    Monday, May 13, 2013 3:31 PM
  • what you are seeing is called Pre Provisioning of bitlocker where the used space is bitlockered, you can change this behaviour to force the whole drive to be encrypted using a GPO, see here:-

    New Group Policy settings for encryption type

    You can use Group Policy settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive. Group Policy settings for BitLocker Drive Encryption are located under the \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path of Group Policy Editor

    Computer Policy and Domain Computer Policy.

    cheers

    niall.



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    Is there another way to do this without pre-provisioning bitlocker? 

    James Snarey

    Simply disable the step in the task sequence near the format and partitioning section.

    My Personal Blog: http://madluka.wordpress.com

    Monday, May 13, 2013 4:34 PM
  • I am not using pre-provisioning and by default used space encryption is being used, my question is how to force full drive encryption during the task sequence? 

    James Snarey

    Monday, May 13, 2013 6:29 PM
  • Solved the issue.  In order to fix this we needed to disable the built in enable bitlocker task and run manage-bde to enable bitlocker after setting all our specific settings in the task sequence.  We have tested several machines and it is not encrypting full disk instead of used space only.

    Thanks for everyone's suggestions and comments. 

     

    James Snarey

    • Marked as answer by James Snarey Tuesday, May 14, 2013 3:22 PM
    Tuesday, May 14, 2013 3:22 PM