I've read the forums and TechNet articles and was able to successfully enable Bitlocker (Used Space Only Encrypted) on Windows 8.1 PC's.  I used MDT 2013 (Setup up Bitlocker settings in the customsettings.ini) to pre-provision Bitlocker in WinPE 5.0 and then at the end of the MDT task sequence it enables bitlocker and sends the recovery key to AD.  Works great and avoids the hassle of waiting for the entire drive to encrypt.

We have Windows 7 PC's in our environment and using the same task sequence settings, appears to enable the Used Space Only encryption in WinPE however once the OS is installed and you check the Bitlocker Status (Manage-bde -status) it shows that the drive is Fully Encrypted.  Once the Task Sequence enables bitlocker, a recovery key is sent to AD successfully and protection is on. It appears to have the same result as with Windows 8.1 Computers however the conversion status reads "Fully Encrypted" versus "Used Disk Space Only". The Windows 7 PC's have a 500 GB Hard Drive and I know they would not fully encrypt that quickly.  Are these Windows 7 PC's using "Used Space Only" encryption but reporting "Fully Encrypted" because maybe Windows 7 doesn't know how to report used space only since it is a Windows 8 bitlocker feature?

Thanks.

Hi

Encrypt Used Disk Space Only is a new option which comes with Windows 8, unfortunately as far as I know this was only added in Windows 8 8.1 BitLocker and not supported by Windows 7.

I also checked with relevant GPOs, they all have At least Windows Server 2012 or Windows 8 on supported on comment.

Regards,

D. Wu

Hi

Encrypt Used Disk Space Only is a new option which comes with Windows 8, unfortunately as far as I know this was only added in Windows 8 8.1 BitLocker and not supported by Windows 7.

I also checked with relevant GPOs, they all have At least Windows Server 2012 or Windows 8 on supported comment.

Regards,

Hi

Encrypt Used Disk Space Only is a new option which comes with Windows 8, unfortunately as far as I know this was only added in Windows 8 8.1 BitLocker.

I also checked with relevant GPOs, they all have At least Windows Server 2012 or Windows 8 on supported comment.

Regards,

Do you happen to know why then when I pre-provision Bitlocker (For a Windows 7 PC) in WinPE 5.0 via MDT 2013, it shoes "Used Space Only Encrypted" via the "Manage-bde -status" command, however as soon as it installs the OS, if you run the same command it says it is "Fully Encrypted"?  I doubt a 500 GB drive is fully encrypted before the imaging task sequence even finishes, unless Windows 7 doesn't know how to interpret Used Space Only Encryption so it says fully encrypted.  I know it is only "Officially" supported in Windows 8, just was curious if it actually maybe worked though.

Do you happen to know why then when I pre-provision Bitlocker (For a Windows 7 PC) in WinPE 5.0 via MDT 2013, it shows "Used Space Only Encrypted" via the "Manage-bde -status" command, however as soon as it installs the OS, if you run the same command it says it is "Fully Encrypted"?  I doubt a 500 GB drive is fully encrypted before the imaging task sequence even finishes, unless Windows 7 doesn't know how to interpret Used Space Only Encryption so it says fully encrypted.  I know it is only "Officially" supported in Windows 8, just was curious if it actually maybe worked though.

• Edited by GoJohnnyRun 15 hours 21 minutes ago

Do you happen to know why then when I pre-provision Bitlocker (For a Windows 7 PC) in WinPE 5.0 via MDT 2013, it shows "Used Space Only Encrypted" via the "Manage-bde -status" command, however as soon as it installs the OS, if you run the same command it says it is "Fully Encrypted"?  I doubt a 500 GB drive is fully encrypted before the imaging task sequence even finishes, unless Windows 7 doesn't know how to interpret Used Space Only Encryption so it says fully encrypted.  I know it is only "Officially" supported in Windows 8, just was curious if it actually maybe worked though.

• Edited by GoJohnnyRun Thursday, May 28, 2015 4:03 PM

Do you happen to know why then when I pre-provision Bitlocker (For a Windows 7 PC) in WinPE 5.0 via MDT 2013, it shows "Used Space Only Encrypted" via the "Manage-bde -status" command, however as soon as it installs the OS, if you run the same command it says it is "Fully Encrypted"?  I doubt a 500 GB drive is fully encrypted before the imaging task sequence even finishes, unless Windows 7 doesn't know how to interpret Used Space Only Encryption so it says fully encrypted.  I know it is only "Officially" supported in Windows 8, just was curious if it actually maybe worked though.

• Edited by GoJohnnyRun Thursday, May 28, 2015 4:03 PM

That's because WinPE 5.0 is newer than win7. It's at the same level as win8.

But I wouldn't be sure what happens to the data that get's written by win7.

That is what I'm trying to find out, what happens to the data in Win 7 since manage-bde -status will say it is fully encrypted however I know that couldn't possibly be. My theory is that Windows 7 bitlocker can only say whether it is fully encrypted or not encrypted since it doesn't know how to interpret "Used Space Only Encryption". If it walks like a duck, quacks like a duck...

• Edited by GoJohnnyRun 7 hours 18 minutes ago

That is what I'm trying to find out, what happens to the data in Win 7 since manage-bde -status will say it is fully encrypted however I know that couldn't possibly be. My theory is that Windows 7 bitlocker can only say whether it is fully encrypted or not encrypted since it doesn't know how to interpret "Used Space Only Encryption". If it walks like a duck, quacks like a duck...

• Edited by GoJohnnyRun Thursday, May 28, 2015 12:06 AM

That is what I'm trying to find out, what happens to the data in Win 7 since manage-bde -status will say it is fully encrypted however I know that couldn't possibly be. My theory is that Windows 7 bitlocker can only say whether it is fully encrypted or not encrypted since it doesn't know how to interpret "Used Space Only Encryption". If it walks like a duck, quacks like a duck...

• Edited by GoJohnnyRun Thursday, May 28, 2015 12:06 AM

"My theory is that Windows 7 bitlocker can only say whether it is fully encrypted or not encrypted since it doesn't know how to interpret "Used Space Only Encryption"." - that's no theory, but for sure a fact.

You will need to find out if the data written by 7 is encrypted. I don't see a reason why it wouldn't. But you can only be sure if you take out a drive and use hex editing tools to look at the blocks and see if you can read data or not. Could also be done by windows2go.

I am pretty sure it works alright, though. Cannot imagine data not being written emncrypted then.

Yes, Windows 7 is supported and it is used space only it will encrypt all data written to the disk. For the other people who "replied" to this thread. Stop saying things that are not true.

Bitlocker Pre-Provisioning is fully supported with Windows 7 and later operating systems, the only way that you can encrypt used space only is Windows 8 WinPE or later but it is done all the time with Windows 7 running and data is encrypted.

Windows 7 is not "Used Space" aware so it only knows encrypted or not encrypted but it will write the data to the disk encrypted during the write operation using the FVE filter driver.

Yes, Windows 7 is supported and it is used space only it will encrypt all data written to the disk. For the other people who "replied" to this thread. Stop saying things that are not true.

Bitlocker Pre-Provisioning is fully supported with Windows 7 and later operating systems, the only way that you can encrypt used space only is Windows 8 WinPE or later but it is done all the time with Windows 7 running and data is encrypted.

Windows 7 is not "Used Space" aware so it only knows encrypted or not encrypted but it will write the data to the disk encrypted during the write operation using the FVE filter driver.

• Marked as answer by GoJohnnyRun 15 hours 49 minutes ago
• Unmarked as answer by GoJohnnyRun 15 hours 48 minutes ago
• Marked as answer by GoJohnnyRun 15 hours 48 minutes ago

Yes, Windows 7 is supported and it is used space only it will encrypt all data written to the disk. For the other people who "replied" to this thread. Stop saying things that are not true.

Bitlocker Pre-Provisioning is fully supported with Windows 7 and later operating systems, the only way that you can encrypt used space only is Windows 8 WinPE or later but it is done all the time with Windows 7 running and data is encrypted.

Windows 7 is not "Used Space" aware so it only knows encrypted or not encrypted but it will write the data to the disk encrypted during the write operation using the FVE filter driver.

• Marked as answer by GoJohnnyRun Monday, June 01, 2015 3:33 PM
• Unmarked as answer by GoJohnnyRun Monday, June 01, 2015 3:34 PM
• Marked as answer by GoJohnnyRun Monday, June 01, 2015 3:34 PM

tslayton_msft, I got one for you.

We once used drive snapshot to take an image of win8.1 - http://www.drivesnapshot.de/en/ - it is no sector copy but is done online. We restored that image and guess what? Manage-bde -status c: told us the volume is fully encrypted! (of course it wasn't). So the fve filter driver works in mixed state or whatever you might want to call what we saw there. (By the way: our error was that we forgot to suspend BL before imaging)

So although what he plans should work alright, I wouldn't be 100% sure.

Yes, Windows 7 is supported and it is used space only it will encrypt all data written to the disk. For the other people who "replied" to this thread. Stop saying things that are not true.

Bitlocker Pre-Provisioning is fully supported with Windows 7 and later operating systems, the only way that you can encrypt used space only is Windows 8 WinPE or later but it is done all the time with Windows 7 running and data is encrypted.

Windows 7 is not "Used Space" aware so it only knows encrypted or not encrypted but it will write the data to the disk encrypted during the write operation using the FVE filter driver.

Thank you tslayton_msft for your informative and to the point answer.  This confirms what we thought.