Windows 8 ignores reg key to set AES-256 encryption in SCCM2012sp1

[Config Mangler]

We have a requirement to set AES-256 cipher strength for Windows 8.

 

In my Windows 7 TS I use this command to set it to 256-bit before the Enable BitLocker step:

reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 4 /f

 

This works fine in Windows 7, but Windows 8 ignores the same command and defaults to 128-bit

 

If I decrypt the drive, set the reg key and manually run BitLocker it encrypts as 256-bit.

 

So the key does work, but not inside the task sequence. I may have to log this with Microsoft but any ideas before I do?

 

 

[anyweb]

The Diffuser option is no longer available to be added to the Advanced Encryption Standard (AES) encryption algorithm for Windows 8 so are you trying to select the diffuser option ? the command you've posted above should work ok, have you verified that the reg key exists after deployment ?

[Config Mangler]

Thanks. Unfortunately the encryptionmethod /4 switch is just plain 256-bit which is what I should be getting.

 

I'm not 1000% sure the key is set during the build so I better do another one to confirm, but the TS certainly doesn't fail.

[Config Mangler]

Yes the key is created during the build but is ignored in the TS. Looks like a call to Microsoft.

[anyweb]

what does manage-bde -status say ? (in an administrative command prompt)

 

have you checked that you dont have some gpo overriding the step ?

[Config Mangler]

"manage-bde" says it's AES-128.

 

My understanding is that group policy is locked out during deployment, hence why we need to use the reg key change the encryption level to AES-256.

 

So after the TS I am left with an AES-128 encrypted drive, if I decrypt and re-encrypt, without changing anything it sees the registry key and does 256-bit.

[anyweb]

well i'm deploying Windows 8 just fine with 256 AES using the CM12 bitlocker hta, take a look at that task sequence maybe it will give you some ideas