Forum Discussion

Andrew Matthews's avatar
Andrew Matthews
Iron Contributor
Nov 09, 2018
Solved

CSP Policy for BitLocker Encryption on AutoPilot Devices

According to the https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#security-improvements the following functionality is available.   You can choose which encrypti...
  • Andrew Matthews's avatar
    Andrew Matthews
    Nov 26, 2018

    After a great deal of experimentation and a https://osddeployment.dk/2018/11/18/how-to-delivering-bitlocker-policy-to-autopilot-devices-to-set-256-bit-encryption/; I tracked down the cause of the issue.

     

    The encryption section of the EndPoint Protection policy does not correctly apply to AAD Joined devices capable of HSTI if the policy is set to Encrypt Device: Require.

     

    I was able to successfully encrypt a device during AutoPilot with AES 256 under the following circumstances.

     

    • Create a brand new Endpoint Protection policy (Important!)
    • Apply the encryption settings that you want to set
    • Make sure the Encrypt Device setting is set to Not Configured
    • Apply the policy to a group containing Azure AD Joined windows devices
    • Do not target the policy at user accounts

    The policy settings that I used are attached.

Andrew Matthews's avatar
Andrew Matthews
Iron Contributor
Nov 26, 2018

After a great deal of experimentation and a https://osddeployment.dk/2018/11/18/how-to-delivering-bitlocker-policy-to-autopilot-devices-to-set-256-bit-encryption/; I tracked down the cause of the issue.

 

The encryption section of the EndPoint Protection policy does not correctly apply to AAD Joined devices capable of HSTI if the policy is set to Encrypt Device: Require.

 

I was able to successfully encrypt a device during AutoPilot with AES 256 under the following circumstances.

 

  • Create a brand new Endpoint Protection policy (Important!)
  • Apply the encryption settings that you want to set
  • Make sure the Encrypt Device setting is set to Not Configured
  • Apply the policy to a group containing Azure AD Joined windows devices
  • Do not target the policy at user accounts

The policy settings that I used are attached.

mmiadmin's avatar
mmiadmin
Copper Contributor
Jan 30, 2023
This is an old posting which is almost 4 years back. I am having the same issue now. I am trying to encrypt the bilocker to AES256 unfortunately, the device comes with 128 encryption. The only way I was told that it could be done was to decrypt the current 128 and then re-encrypt it with 256. So, I am trying to find a solution for this. I have one PowerShell script that will try to decrypt the current 128 encryption and then I have a policy that will encrypt the 256 policy.

So, I am finding a way that we could do this. Any suggestions or thoughts or any methods?
  • Andrew Matthews's avatar
    Andrew Matthews
    Iron Contributor
    Jan 30, 2023
    You are on the right track. I would suggest installing a single PowerShell script onto devices as a scheduled task. There is no alternative to decrypting the drive and then re-encrypting.

    A scheduled task will survive a reboot and pickup where the previous run did not complete. and avoids issues with UAC because the scheduled task runs as system.

    I built a deployment system for Autopilot that includes a process to drop scheduled tasks onto devices for this type of purpose. Unfortunately that deployment system is not for public release.

Resources