Weird issue with a Windows install.... have you ever tried to wipe a recently new OEM Windows install on a brand name computer, and after using diskpart -> clean, Windows Setup fails to install with "Window Setup failed to re-initialize the deployment engine"?
I figured out that this was a BitLocker problem on new PC's. I had read that new brand name machines are all getting BitLocker encrypted by default, but it used to be that it wasn't complete until a user used a Microsoft Account to fully lock it and to log a recovery key online. I guess their OEM policy changed.
The way I detected it was because I inspected the partition layout and saw that after Windows Setup creates the partition layout, the large partition meant for the install had an "Unknown" file system. For some reason, even when the partition table is wiped out, when Windows recreates the partition table, Windows Setup can detect some leftover BitLocker stuff and it throws off the ability to reformat it correctly.
I could be wrong, but I don't believe SSD's run TRIM in Windows Setup/PE. It usually is scheduled by the disk defragmenter in Windows, but Windows Setup doesn't run those scheduled tasks. This is likely why there's still some encryption metadata stored on the disk even after you wipe the partition table.
The solution to the problem is to manually format the partition using diskpart if your Windows Setup already created it (though you'll need to reboot to relaunch Windows Setup because when it throws an error, you can't go back). You need to use the OVERRIDE parameter after selecting the right one. Here's a full set of instructions if you got this error while trying to wipe the drive and reinstall, such as the common method of using a USB thumb drive:
Reboot as the error prompt requires, and relaunch your installation media.
When you get to the disk partitioning screen, don't erase the current partitions - they're fine.
Hit Shift-F10 to open a Command Prompt.
Type the following commands (not the comments):
diskpart <ENTER>
list disk <ENTER>
(check by the size which disk is the disk you're installing onto - on a single drive system it's probably disk 0 but YMMV)
select disk 0 <ENTER>
list partition <ENTER>
(look for the big primary partition - it's probably the third and final one on the disk, but again, YMMV)
select partition 3 <ENTER>
format quick override <ENTER>
exit <ENTER>
exit <ENTER>
(once for diskpart, and again for Command Prompt)
Now you'll be back to the disk partitioning screen again. Hit F5 to refresh the display, and then choose that same partition again that you did with diskpart. Windows Setup probably won't let you select any other unless you had multiple drives in your machine.
I'm not opposed to the idea of having drives encrypted by default, just that I hate that Microsoft requires that you sign in via a Microsoft Account so that there's a recovery key for the encryption - and they don't tell you that you should go and make a printed copy of it in case something goes wrong with the encryption or with the bootloader. AND IT HAS HAPPENED BEFORE WITH BIOS OR BOOTLOADER UPDATES! For anybody with only a single PC, this is a really poor recovery scenario. Also the fact that Microsoft mandates alternative login security methods instead of your Microsoft Account password to sign into the machine, which is breeding a new generation of users that just tend to forget their online password to be able to sign in on a friends computer and retrieve said BitLocker decryption key....
Thankfully, they haven't completely locked out the ability to bypass Microsoft Accounts altogether. Although they've started removing the bits that enable you to open a Command Prompt during the OOBE (the handy Shift-F10 as mentioned above for Windows Setup is getting taken out in recent builds), they still have the option to bypass the online login mandate via unattended installs. I'll publish my method in another note at a later date.
Oh, and Linux fans: disk encryption there really sucks bad. I haven't seen a single distro installer with LUKS encryption that easily integrates with TPM keys.
The solution is just this:
1) when the OS is installing with **optional** encryption, use the TPM keystore
2) tell the user WITH A BIG WARNING: "Write down this decryption key and keep it some place safe for emergencies, or lose your data!!" with multiple checkboxes that they've confirmed that they followed the instructions
3) make the user create a strong password to unlock the PC (not the same as the decryption key), or use biometrics or some method like a simple PIN, but don't require online access
4) use the TPM to do regular day-to-day decryption
Any OS vendor can follow this plan.
FYI: BitLocker slows down standard drives, especially SSD's, by a lot. The best drives for BitLocker are TCG OPAL/IEEE 1667 drives following Microsoft's eDrive specification, which do hardware encryption and don't slow down much.
Waethorn /
npub1ah…j6ee5
2024-08-21 08:06:39
Author Public Key
npub1ahd4wv5s8uns8rpgefrmctarq3vepta8w8x086hdhpk4tk2tcl7qkj6ee5Published at
2024-08-21 08:06:39Event JSON
{
"id": "c9f203ee6daeb06c3daab9bff6604f9f85fe6d26e7dfbf078bb24a3db20913ea",
"pubkey": "eddb5732903f27038c28ca47bc2fa3045990afa771ccf3eaedb86d55d94bc7fc",
"created_at": 1724227599,
"kind": 1,
"tags": [],
"content": "Weird issue with a Windows install.... have you ever tried to wipe a recently new OEM Windows install on a brand name computer, and after using diskpart -\u003e clean, Windows Setup fails to install with \"Window Setup failed to re-initialize the deployment engine\"?\n\nI figured out that this was a BitLocker problem on new PC's. I had read that new brand name machines are all getting BitLocker encrypted by default, but it used to be that it wasn't complete until a user used a Microsoft Account to fully lock it and to log a recovery key online. I guess their OEM policy changed. \n\nThe way I detected it was because I inspected the partition layout and saw that after Windows Setup creates the partition layout, the large partition meant for the install had an \"Unknown\" file system. For some reason, even when the partition table is wiped out, when Windows recreates the partition table, Windows Setup can detect some leftover BitLocker stuff and it throws off the ability to reformat it correctly.\n\nI could be wrong, but I don't believe SSD's run TRIM in Windows Setup/PE. It usually is scheduled by the disk defragmenter in Windows, but Windows Setup doesn't run those scheduled tasks. This is likely why there's still some encryption metadata stored on the disk even after you wipe the partition table.\n\nThe solution to the problem is to manually format the partition using diskpart if your Windows Setup already created it (though you'll need to reboot to relaunch Windows Setup because when it throws an error, you can't go back). You need to use the OVERRIDE parameter after selecting the right one. Here's a full set of instructions if you got this error while trying to wipe the drive and reinstall, such as the common method of using a USB thumb drive:\n\nReboot as the error prompt requires, and relaunch your installation media.\n\nWhen you get to the disk partitioning screen, don't erase the current partitions - they're fine.\n\nHit Shift-F10 to open a Command Prompt.\n\nType the following commands (not the comments):\n\ndiskpart \u003cENTER\u003e\nlist disk \u003cENTER\u003e\n\n(check by the size which disk is the disk you're installing onto - on a single drive system it's probably disk 0 but YMMV)\n\nselect disk 0 \u003cENTER\u003e\nlist partition \u003cENTER\u003e\n\n(look for the big primary partition - it's probably the third and final one on the disk, but again, YMMV)\n\nselect partition 3 \u003cENTER\u003e\nformat quick override \u003cENTER\u003e\n\nexit \u003cENTER\u003e\nexit \u003cENTER\u003e\n\n(once for diskpart, and again for Command Prompt)\n\nNow you'll be back to the disk partitioning screen again. Hit F5 to refresh the display, and then choose that same partition again that you did with diskpart. Windows Setup probably won't let you select any other unless you had multiple drives in your machine.\n\nI'm not opposed to the idea of having drives encrypted by default, just that I hate that Microsoft requires that you sign in via a Microsoft Account so that there's a recovery key for the encryption - and they don't tell you that you should go and make a printed copy of it in case something goes wrong with the encryption or with the bootloader. AND IT HAS HAPPENED BEFORE WITH BIOS OR BOOTLOADER UPDATES! For anybody with only a single PC, this is a really poor recovery scenario. Also the fact that Microsoft mandates alternative login security methods instead of your Microsoft Account password to sign into the machine, which is breeding a new generation of users that just tend to forget their online password to be able to sign in on a friends computer and retrieve said BitLocker decryption key....\n\nThankfully, they haven't completely locked out the ability to bypass Microsoft Accounts altogether. Although they've started removing the bits that enable you to open a Command Prompt during the OOBE (the handy Shift-F10 as mentioned above for Windows Setup is getting taken out in recent builds), they still have the option to bypass the online login mandate via unattended installs. I'll publish my method in another note at a later date.\n\nOh, and Linux fans: disk encryption there really sucks bad. I haven't seen a single distro installer with LUKS encryption that easily integrates with TPM keys. \n\nThe solution is just this: \n\n1) when the OS is installing with **optional** encryption, use the TPM keystore\n\n2) tell the user WITH A BIG WARNING: \"Write down this decryption key and keep it some place safe for emergencies, or lose your data!!\" with multiple checkboxes that they've confirmed that they followed the instructions \n\n3) make the user create a strong password to unlock the PC (not the same as the decryption key), or use biometrics or some method like a simple PIN, but don't require online access\n\n4) use the TPM to do regular day-to-day decryption\n\nAny OS vendor can follow this plan. \n\nFYI: BitLocker slows down standard drives, especially SSD's, by a lot. The best drives for BitLocker are TCG OPAL/IEEE 1667 drives following Microsoft's eDrive specification, which do hardware encryption and don't slow down much.",
"sig": "b06d3496d8f93a78e1058e6de35f3059afc6b4317b4cd2bb9f50d5dd5474968dedebb9def733a2627311a7ac19e07cf0ac3095e5a0982b8ea478534f76ed8c9a"
}