Forum Discussion
BitLocker Encryption Policy for AutoPilot Devices (Windows 10 1809)
According to the What's new in Windows 10 1809 the following functionality is available.
You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins.
For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
BitLocker encryption with AES-256 is a security requirement for one of the organizations that I consult for, so I was interested in getting this to work.
Several months of experiments, a Microsoft Premier Support call and a Per Larson blog post later I have finally managed to get BitLocker policies to apply correctly during AutoPilot OOBE.
Here is the recipe that you need to get bitLocker CSP Policy to apply on Windows 10 1809.
- Create a brand new Windows 10 EndPoint Protection policy (Important - Settings do not work if applied using with an existing policy)
- Apply the BitLocker encryption policy settings that you want
- Make sure that the Encrypt Device setting is set to Not Configured (Important!)
- Make sure that the OS Drive Additional authentication settings are set to values compatible with HSTI/OOBE BitLocker
- Create a new Azure AD Group
- Add the devices that you are targeting for AutoPilot to the Azure AD Group
- Make sure that the Windows 10 OOBE Status page is enabled for all AutoPilot devices
- AutoPilot away!
The following caveats apply
- You need Windows 10 1809
- The hardware has to be HSTI/InstantGo compatible
I have attached the settings that I used to successfully encrypt devices but other settings may work.
The key settings is Encrypt Device: Not Configured. I started experimenting with the BitLocker settings in August using Insider preview versions of Windows 10 1809 but my experiments were unsuccessful because I set the Encrypt Device setting to Required. It was only when I saw Per Larson's Blog post that I realized that the BitLocker settings for AutoPilot devices need to be different from regular devices. Microsoft Support were unable to clarify why the setting Encrypt Device setting to Required broke the policy.
One important consideration is that if you apply this policy to all devices, and some devices do not auto-encrypt then you will have un-encrypted devices floating around. You can tackle this with Compliance Policy but the end users do not get a great user experience. I am handling un-encrypted devices with a combination of a deploy script that checks whether enables encryption manually if necessary and a Compliance policy.
- mika tolvanenCopper Contributor
Hello,
Could someone confirm is this still the same with Windows 10 1903 that Encrypt Device should be Not Configured ? this is very confusing set to define right Bitlocker settings with Intune...
- AliGomaaCopper Contributor
Andrew Matthews Is there a way to convert 1803 Win10 Pro/Ent computers from AES128 to AES256?
- Andrew MatthewsIron Contributor
AliGomaaYes - but it's a custom PowerShell script.
You have to decrypt the drive then re-encrypt. A number of the blogs have posted sample scripts to resolve this problem.
FYI - I did a new deployment of BitLocker on Windows 1809 and the AES256 policy settings were respected during AutoPilot.
AliGomaa wrote:Andrew Matthews Is there a way to convert 1803 Win10 Pro/Ent computers from AES128 to AES256?
- AliGomaaCopper ContributorThank you
- Deleted
With the "Windows 10 OOBE Status page" you mean the Enrollment Page?
- Randolf BrunekreeftCopper Contributor
The automatic Bitlocker encryption under a standard user account doesn't seem to work for Windows 10 Pro. The AllowWarningForOtherDiskEncryption policy is not supported by Windows 10 Pro: https://docs.microsoft.com/nl-nl/windows/client-management/mdm/bitlocker-csp
(even though the AllowStandardUserEncryption is supported by Windows 10 Pro)
- Andrew MatthewsIron Contributor