Forum Discussion
Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)
Hi we are leveraging a config profile to encrypt our computers after Autopilot Enrollment.
XTS-AES 256-bit used space only. The issue that we are seeing is that some of our PCs encrypt with 128 only. They all have proper BIOS settings and compatable TPM Modules. We wind up having to decrypt them and then let the Config Profile reapply the encryption and it always goes to 256 after that. It is like something is kicking off default Windows Encryption which is 128. Is there something we should be looking for? We have a case with Microsoft, but they did nto find anything.
Also, after encryption we have to run a separate script to check for encryption and then prompt the user to set their TPM PIN. Are there any plans to support this in a Config profile in the future? We dont want to use Group Policy and MBAM.......we moved away from that.
9 Replies
Rheinrich21 they probably came already encrypted or auto-encrypted (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)#device-encryption) by themself. Bitlocker will not change encryption just by config. You need a script that unencrypts and then encrypts with the correct config.
- SteveThomas
Microsoft
I would also verify that all the devices firmware is up to date. This Customer Success article may also be helpful in gathering additional data - especially if you open a support case, which is also recommended. https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-bitlocker-policies-in-microsoft/ba-p/863670- Thank you. I have read through this. The Hardware, OS 21H2, Firmware, TPM, and relevant BIOS settings are intact. We can decrypt the drive, then let the config profile kick in and it will Encrpyt properly. This mostly seems to happen when the device is Pre-Provisioned. We don't use any preprovisioning packages.
- Jason_SandysHow is the device registered in Autopilot and how long are you waiting after it is registered to begin the Autopilot process?
- Jason_SandysHow is this BitLocker configuration profile applied to the devices? Specifically, is it assigned to a group that the devices fall into before provisioning or after?
- It is currently applied to all Users and then the Devices through two dynamic groups, one Dynamic Query by ZTID and the other by GroupTag.
- Jason_SandysUser targeting is not sufficient here although your dynamic device group targeting should be.
Do you have the device ESP enabled?
In addition to the article linked to above by Steve, have you reviewed https://techcommunity.microsoft.com/t5/intune-customer-success/setting-256-bit-encryption-for-bitlocker-during-autopilot-with/ba-p/323791?
