At the end of our Windows 7 O/S deployment, we are attempting to initiate a BitLocker encryption using FIPS compliant algorithms. In order to do this, the FIPS setting is required in group policy at: Computer Baseline -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> System Cryptography: use FIPS. However, during the task sequence, group policy is not applied, and so when the BitLocker encryption is initiated, the encryption is to a non-FIPS compliant algorithm and incorrect key protectors are used. Does anyone know how I can apply this required group policy setting whilst within the task sequence, or does anyone have any other ideas as to how I can achieve this? Best Regards, Steve Phillips

How about applying a local group policy during the TS or directly setting the registry value: http://support.microsoft.com/kb/811833.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

Perhaps this is a solution: http://blogs.technet.com/b/configurationmgr/archive/2010/08/10/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx Regards, Nicolai

Many thanks for the suggestions. I added a task sequence step to set the required registry key: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled /t REG_DWORD /d 1 /f and added an additional task sequence step to interrogate the registry setting, by way of verification: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled and followed these with the Enable BitLocker task sequence step. However, even after these steps, BitLocker will not initiate the encryption using the FIPS compliant encryption method and key protectors (i.e. AES-256 and Data Recovery Agent key protectors). Examining the task sequence log, I find that the registry keys have been set properly, as can be seen from this task sequence log segment: Executing command line: smsswd.exe /run: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled =======================[ smsswd.exe ] ======================= PackageID = '' BaseVar = '', ContinueOnError='' SwdAction = '0001' Set command line: Run command line Working dir 'not set' Executing command line: Run command line Process completed with exit code 0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy Enabled REG_DWORD 0x1 Command line returned 0 Process completed with exit code 0 I am at a loss as to why this is not working as expected, so any further assistance would be greatly appreciated. Best Regards, Steve Phillips

Many thanks for the suggestions. I added a task sequence step to set the required registry key: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled /t REG_DWORD /d 1 /f and added an additional task sequence step to interrogate the registry setting, by way of verification: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled and followed these with the Enable BitLocker task sequence step. However, even after these steps, BitLocker will not initiate the encryption using the FIPS compliant encryption method and key protectors (i.e. AES-256 and Data Recovery Agent key protectors). Examining the task sequence log, I find that the registry keys have been set properly, as can be seen from this task sequence log segment: Executing command line: smsswd.exe /run: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled =======================[ smsswd.exe ] ======================= PackageID = '' BaseVar = '', ContinueOnError='' SwdAction = '0001' Set command line: Run command line Working dir 'not set' Executing command line: Run command line Process completed with exit code 0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy Enabled REG_DWORD 0x1 Command line returned 0 Process completed with exit code 0 I am at a loss as to why this is not working as expected, so any further assistance would be greatly appreciated. Best Regards, Steve Phillips

Perhaps you can resolve this by looking at http://social.technet.microsoft.com/wiki/contents/articles/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx This article explains how to change the default encryption method by creating the key: reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d X /f Were X is the variable for the required encryption method The article explains method 2 , 3, and 4. Meaning 256 Bit with Diffuser, 128 bit and 256 Bit encryption. Assuming that value 1 represents 128 with Diffuser, you could test with value 5 and higher and see if you find the encryption that you are looking for. Regards, Daniel