By Matt Shadbolt | Intune Sr. Program Manager
Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices, October 2018 update.
One such setting allows the IT Administrator to set the BitLocker encryption algorithm. The BitLocker encryption algorithm is used when BitLocker is first enabled and sets the strength to which full volume encryption should occur. An IT Administrator can set this algorithm to AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption.
By default, Windows 10 will encrypt a drive with XTS-AES 128-bit encryption. Encryption can be enabled on unencrypted Windows 10 PCs using MDM policy, such as when the device becomes Azure AD Joined (AADJ).
When a Windows 10 device runs through the Out Of Box Experience (OOBE), and an AADJ occurs during OOBE, BitLocker may be automatically enabled on modern hardware with the default XTS-128-bit encryption algorithm before the Intune MDM policy is processed and the IT administrator’s configuration is applied.
This causes a situation whereby the BitLocker disk encryption does not meet the IT administrator’s defined requirements in Intune.
Microsoft Intune recently made some UI changes to call out that these settings only apply at first encryption. To help improve this experience, we made some changes to the Windows Autopilot build process that enables Windows to consume the IT administrator’s MDM settings before automatic encryption is started.
From Windows 10 October 2018 Update, the BitLocker encryption algorithm can be changed during an Autopilot build. To achieve this, you need to configure the following:
By meeting these three configuration requirements, your Autopilot configured devices will now honor the BitLocker encryption algorithm setting and will encrypt with your specified encryption algorithm.
Let us know if you have any questions on this expanded feature set.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.