Initiate BitLocker in Task Sequence using FIPS encryption
At the end of our Windows 7 O/S deployment, we are attempting to initiate a BitLocker encryption using FIPS compliant algorithms. In order to do this, the FIPS setting is required in group policy at:
Computer Baseline -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> System Cryptography: use FIPS.
However, during the task sequence, group policy is not applied, and so when the BitLocker encryption is initiated, the encryption is to a non-FIPS compliant algorithm and incorrect key protectors are used.
Does anyone know how I can apply this required group policy setting whilst within the task sequence, or does anyone have any other ideas as to how I can achieve this?
Best Regards,
Steve Phillips
September 13th, 2011 7:03pm
How about applying a local group policy during the TS or directly setting the registry value:
http://support.microsoft.com/kb/811833.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2011 9:23pm
Perhaps this is a solution:
http://blogs.technet.com/b/configurationmgr/archive/2010/08/10/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx
Regards,
Nicolai
September 13th, 2011 10:45pm
Many thanks for the suggestions.
I added a task sequence step to set the required registry key:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled /t REG_DWORD /d 1 /f
and added an additional task sequence step to interrogate the registry setting, by way of verification:
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled
and followed these with the Enable BitLocker task sequence step.
However, even after these steps, BitLocker will not initiate the encryption using the FIPS compliant encryption method and key protectors (i.e. AES-256 and Data Recovery Agent key protectors).
Examining the task sequence log, I find that the registry keys have been set properly, as can be seen from this task sequence log segment:
Executing command line: smsswd.exe /run: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled
=======================[ smsswd.exe ] =======================
PackageID = ''
BaseVar = '', ContinueOnError=''
SwdAction = '0001'
Set command line: Run command line
Working dir 'not set'
Executing command line: Run command line
Process completed with exit code 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Enabled REG_DWORD 0x1
Command line returned 0
Process completed with exit code 0
I am at a loss as to why this is not working as expected, so any further assistance would be greatly appreciated.
Best Regards,
Steve Phillips
Free Windows Admin Tool Kit Click here and download it now
September 16th, 2011 4:52pm
Many thanks for the suggestions.
I added a task sequence step to set the required registry key:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled /t REG_DWORD /d 1 /f
and added an additional task sequence step to interrogate the registry setting, by way of verification:
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled
and followed these with the Enable BitLocker task sequence step.
However, even after these steps, BitLocker will not initiate the encryption using the FIPS compliant encryption method and key protectors (i.e. AES-256 and Data Recovery Agent key protectors).
Examining the task sequence log, I find that the registry keys have been set properly, as can be seen from this task sequence log segment:
Executing command line: smsswd.exe /run: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled
=======================[ smsswd.exe ] =======================
PackageID = ''
BaseVar = '', ContinueOnError=''
SwdAction = '0001'
Set command line: Run command line
Working dir 'not set'
Executing command line: Run command line
Process completed with exit code 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Enabled REG_DWORD 0x1
Command line returned 0
Process completed with exit code 0
I am at a loss as to why this is not working as expected, so any further assistance would be greatly appreciated.
Best Regards,
Steve Phillips
September 16th, 2011 4:52pm
Perhaps you can resolve this by looking at
http://social.technet.microsoft.com/wiki/contents/articles/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx
This article explains how to change the default encryption method by creating the key:
reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d X /f
Were X is the variable for the required encryption method
The article explains method 2 , 3, and 4. Meaning 256 Bit with Diffuser, 128 bit and 256 Bit encryption. Assuming that value 1 represents 128 with Diffuser, you could test with value 5 and higher and see if you find the encryption that you are looking
for.
Regards,
Daniel
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2011 8:19am