Last monday we upgraded our SCCM environment from 2012R2 to 1610. Earlier we did the same upgrade in our test environment and didn’t have any problems at all. Unfortunately, our test environment only has one active laptop, and we never thought to test the task sequence on this laptop.
After the production upgrade we found that all task sequences worked without issues, except for our laptops: after the step “Pre-Provision Bitlocker” our windows image is loaded and windows setup should start, only it doesn’t. It throws an error saying something like this:
The operating system couldn’t be loaded because the Bitlocker key required to unlock the volume wasn’t loaded correctly.
Being a lazy admin, I googled the symptoms and of course I wasn’t the first one to get this error. In short, with the upgrade of SCCM we also upgraded ADK from 8.1 to 10. Since ADK10, Microsoft has increased the default encryption level that’s used for bitlocker. Since Windows 7 does not support this level, the setup fails.
Probably the best write-up about this issue can be found on the Configuration Manager OSD Support Team Blog.
You will find that the resolution seems simple: add a registry key just before the Pre-Provision Bitlocker step, and the encryption level should be compatible with Windows 7. Of course this didn’t work. Well it did, but created another problem. The error message disappeared, but now we cancelled the Windows setup after a couple of hours, as it was still installing devices.
The encryption method that is recommended by the blogpost mentioned earlier, is AES_128, set by the following command:
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 3 /f
I found an article, closed it and forgot where it was, but I found a reference somewhere that for Windows 7, the default encryption level was AES_128_WITH_DIFFUSER, which registry value is 1. So we tried that and lo and behold: it works.
So if you’re experiencing these issues and tried the value of 3, try a value of 1. Or upgrade to Windows 10 CB.
We used this:
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 1 /f