Automatic Bitlocker Encryption may interfere with ZCM FDE and Imaging Operations

  • Document ID:7023873
  • Creation Date:13-May-2019
  • Modified Date:14-May-2019
    • Micro Focus Products:
      ZENworks Configuration Management
      ZENworks Full Disk Encryption

Environment

ZENworks Configuration Management
ZENworks Full Disk Encryption

Situation

By Default, Windows 10 will attempt to automatically encrypt the boot device  any Windows device that has a TPM module enabled in the UEFI/BIOS.
 
ZCM FDE requires any Fixed Disk Encrypted with any 3rd Party Full Disk Encryption solution to first be decrypted.
ZCM Imaging requires any Fixed Disk Encrypted with Full Disk Encryption (ZCM FDE or 3rd Party) to delete and re-create the partitions prior to image restore. 
(Imaging Scripts can automate this process) 
 
Important: 
The device's Boot Drive may even be Bitlocker Encrypted, even when the Bitlocker Control panel does not show Bitlocker as enabled.
The control planet will only show the drive as encrypted once the Recovery Key is successfully saved.
 
This will happen automatically for Domain Joined PC, but Non-Domain joined PCs will need to select the "Turn On Bitlocker" option to generate the key.
At this point, the drive will show as Bitlocker Enabled, even though it was previously Bitlocker encrypted, just in an unrecoverable state.
 
Note: Systems with TPM 1.2 devices are not compatible with Bitlocker, which may cause the drive to encrypt but not generate a recovery key to allow the drive to be decrypted.
The "Allow BitLocker without a compatible TPM" GPO setting should allow for the generation of this key to allow for Bitlocker to then be disabled.

Resolution

The following key will prevent Windows from automatically encrypting the Boot Drive of a Windows device.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker\PreventDeviceEncryption (REG_DWORD) = 1

 
This registry value will not have any impact after Windows has begun the Bitlocker encryption process. 
It is recommended to set this in the image unless there is an explicit desire to automatically encrypt boot drives using Bitlocker, so it exists upon image deployment before Bitlocker can begin its process.
 
Important: 
The device's Boot Drive may even be Bitlocker Encrypted, even when the Bitlocker Control panel does not show Bitlocker as enabled.
The control planet will only show the drive as encrypted once the recovery key is successfully saved, which is the final step after the drive is encrypted.
 
This will happen automatically for Domain Joined PC, but Non-Domain joined PCs will need to select the "Turn On Bitlocker" option to generate the key.
At this point, the drive will show as Bitlocker Enabled, even though it was previously Bitlocker encrypted, just in an unrecoverable state.
 
Note: Systems with TPM 1.2 devices are not compatible with Bitlocker, which may cause the drive to encrypt but complete the process of generating a recovery key to allow the drive to be decrypted.
The "Allow BitLocker without a compatible TPM" GPO setting should allow for the generation of this key to allow for Bitlocker to then be disabled.
See - https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/ for details about the "Allow BitLocker without a compatible TPM" GPO setting.