Setting 256-bit encryption for BitLocker during Autopilot with the Windows 10 October 2018 Update

Hi Intune Support Team, I am looking for some confirmation that in order to enforce 256bit encryption, the Bitlocker policy needs to be assigned to a DEVICE group and not a USER group to make sure it gets pulled down early enough during the ESP. This blog post is the only place where I have been able to find any reference for this requirement. If this is indeed required, my plan is to target the policy to the same AAD device groups that I use to assign the AutoPilot profiles. You mention to target the 'Autopilot group of devices', which I read to be the same approach. Any confirmation or link to additional information on this topic would be greatly appreciated. Thanks, Jan

Update: I feel that Oliver K. Has been able to answer my question about DEVICE vs. USER targeting in the comments section of his blog post  @ 

https://oliverkieselbach.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune