Windows 7 Pre-Provision Bitlocker Not Working

After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker


With WinPE 10 it uses the AES-CBC 128-bit encryption method.


Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.

  1.  Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
  2. Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
  3. Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

Available Encryption Methods in WinPE 10

  1. Value Data: 3 (Description: AES-CBC 128-bit)
  2. Value Data: 4 (Description: AES-CBC 256-bit)
  3. Value Data: 6 (Description: XTS-AES 128 bit)
  4. Value Data: 7 (Description: XTS-AES 256-bit)

Enable BitLocker on Azure AD Joined windows 10 Device

Windows 10 devices will automatically encrypt the local drive when joining to Azure Active Directory (AAD). The device must be InstantGo capable.

InstantGo (formerly known as Connected Standby) is a very low power state that some devices support. It’s very like your mobile phone, it’s almost switched off but still can receive text messages, e-mails and switch to a different power state when receiving phone calls.

How do you check this?

Open a command prompt, type powercfg /a

Devices that have InstantGo support will return “Network Connected”:


 Where do I find the recovery key?

Users can retrieve their recovery key by going to, select Devices and select the device for which they would like to get the recovery key:


@ Microsoft Cloud & Infrastructure User Group

Went to the Microsoft Cloud & Infrastructure User Group this evening. First timer to this social hub. Free pizza and beer is a good start.

The group covered:
– Office 365 Groups
– Delve insight. Soon available on Android and IOS
– SharePoint Server 2016
– Support for non-office documents
– Patching with smaller foot print and zero down time
– No Foundation 2016 or SharePoint Designer 2016
– Durable content link. No more missing documents
– Cloud search service application. Cloud content appears on on-premise searches
– Creating a Microsite demo
– Windows 10 for Business
– Windows Updates for Business
– Windows 10 Desktop Editions; Home, Pro and Enterprise
– Installed OS is a smaller foot print than Windows 8.1
– Nano Server; No GUI, 64-bit only, CloudOS infrastructure, zero foot print, have import all roles and features and driver support, manage with PS, DSC and WMI. Improved servicing, fewer open ports, drivers and services running. 40 seconds to deploy. Disk foot print 400 MB (SD card).
–  Windows Server 2016; Storage Spaces Direct four nodes required.
– Hyper-V 2016; Shielded VMs using TPM and BitLocker enabled guests. Linux secure boot. PowerShell Direct. Hot add memory and nice.
System Center 2016; support Windows 10. Allow direct manage of Windows 10 devices with MDM. Allow ConfigMgr on virtual machines and in-cloud.

Plug: New Zealand Ignite 1 – 4 September 2015 @ SkyCity

Decrypt Drive Then Wait Till Complete

I need to decrypt the D drive on devices performing a REFRESH task sequence. It is one thing to decrypt it, and another to wait till it has finished. This script will wait till the whole drive is decrypted.

I modified the PowerShell script from and it preformed perfectly.

Find and replace the C: with the drive letter. Then add into the task sequence.

Here is the script in case the page disappears:

$ComputerName = “.”
$BitLockerDrive = Get-Wmiobject -Namespace root\CIMv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -ComputerName $ComputerName -Filter “DriveLetter=’C:'”
$Status = $BitLockerDrive.GetConversionStatus()
if ($Status.ConversionStatus -eq 0) {
elseif ($Status.ConversionStatus -eq 1) {
    Invoke-Command {manage-bde.exe -off C:}
    Start-Sleep 3
    do {
        $BitLockerDrive = Get-Wmiobject -Namespace root\CIMv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -ComputerName $ComputerName -Filter “DriveLetter=’C:'”
        $Status = $BitLockerDrive.GetConversionStatus()
        Start-Sleep 15
    until ($Status.ConversionStatus -eq 0)
if ($Status.ConversionStatus -eq 0) {

Delegated Permissions to use BitLocker Recovery Password Viewer

So you need to give a group of users the ability to use BitLocker Recovery Password Viewer in AD Users & Computers without them being Domain Admin?

From TechNet: To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.

Hmm, ok how do I delegate permissions?

  1. Create a security group called BitLocker Recovery Password Viewer.
  2. Add members to the group (for example, add Helpdesk staff members).
  3. Create another security group called BitLocker TPM Owners.

Please Note: To separate the privileges of reading BitLocker and TPM recovery information, create a different user group that can access TPM owner information. Note that Helpdesk personnel who need access to BitLocker recovery passwords will not typically need access to TPM owner information.

  1. Assign control access and read property permissions to the group. This is done by running the attached scripts.

Please Note: Change the first line of each script if you created a user group with a different name.

  1. Save each sample script in a VBScript file. For example: DelegateBitLocker.vbs & DelegateBitLockerTPMOwners.vbs.
  2. Open an elevated Command Prompt window:
  3. Click the Start button, type cmd, right-click cmd.exe, and then click Run as administrator.
  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  5. At the command prompt, run the two scripts. Example: cscript DelegateBitLocker.vbs