Home
%3CLINGO-SUB%20id%3D%22lingo-sub-323791%22%20slang%3D%22en-US%22%3ESetting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%20Matt%20Shadbolt%20%7C%20Intune%20Sr.%20Program%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20Intune%20provides%20a%20comprehensive%20set%20of%20configuration%20options%20to%20manage%20BitLocker%20on%20Windows%2010%20devices%2C%20October%202018%20update.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOne%20such%20setting%20allows%20the%20IT%20Administrator%20to%20set%20the%20BitLocker%20encryption%20algorithm.%20The%20BitLocker%20encryption%20algorithm%20is%20used%20when%20BitLocker%20is%20first%20enabled%20and%20sets%20the%20strength%20to%20which%20full%20volume%20encryption%20should%20occur.%20An%20IT%20Administrator%20can%20set%20this%20algorithm%20to%20AES-CBC%20128-bit%2C%20AES-CBC%20256-bit%2C%20XTS-AES%20128-bit%20or%20XTS-AES%20256-bit%20encryption.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20default%2C%20Windows%2010%20will%20encrypt%20a%20drive%20with%20XTS-AES%20128-bit%20encryption.%20Encryption%20can%20be%20enabled%20on%20unencrypted%20Windows%2010%20PCs%20using%20MDM%20policy%2C%20such%20as%20when%20the%20device%20becomes%20Azure%20AD%20Joined%20(AADJ).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20a%20Windows%2010%20device%20runs%20through%20the%20Out%20Of%20Box%20Experience%20(OOBE)%2C%20and%20an%20AADJ%20occurs%20during%20OOBE%2C%20BitLocker%20may%20be%20automatically%20enabled%20on%20modern%20hardware%20with%20the%20default%20XTS-128-bit%20encryption%20algorithm%20before%20the%20Intune%20MDM%20policy%20is%20processed%20and%20the%20IT%20administrator%E2%80%99s%20configuration%20is%20applied.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20causes%20a%20situation%20whereby%20the%20BitLocker%20disk%20encryption%20does%20not%20meet%20the%20IT%20administrator%E2%80%99s%20defined%20requirements%20in%20Intune.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20439px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F70631iEC84046850D3871D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22bitlocker_blogpost.png%22%20title%3D%22bitlocker_blogpost.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20Intune%20recently%20made%20some%20UI%20changes%20to%20call%20out%20that%20these%20settings%20only%20apply%20at%20first%20encryption.%20To%20help%20improve%20this%20experience%2C%20we%20made%20some%20changes%20to%20the%20Windows%20Autopilot%20build%20process%20that%20enables%20Windows%20to%20consume%20the%20IT%20administrator%E2%80%99s%20MDM%20settings%20before%20automatic%20encryption%20is%20started.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20Windows%2010%20October%202018%20Update%2C%20the%20BitLocker%20encryption%20algorithm%20can%20be%20changed%20during%20an%20Autopilot%20build.%20To%20achieve%20this%2C%20you%20need%20to%20configure%20the%20following%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EConfigure%20the%20encryption%20method%20settings%20in%20the%20Windows%2010%20Endpoint%20Protection%20profile%20to%20the%20desired%20encryption%20algorithm.%3C%2FLI%3E%0A%3CLI%3ETarget%20the%20encryption%20method%20policy%20to%20your%20Autopilot%20group%20of%20devices.%20This%20is%20required%20as%20the%20policy%20needs%20to%20be%20processed%20as%20a%20device%20targeted%20policy%2C%20not%20a%20user%20targeted%20policy.%3C%2FLI%3E%0A%3CLI%3EEnable%20the%20Autopilot%20Enrollment%20Status%20Page%20(ESP)%20for%20your%20users%2Fdevices.%20This%20is%20required%20because%20if%20the%20ESP%20is%20not%20enabled%2C%20the%20policy%20will%20not%20apply%20before%20encryption%20starts.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EBy%20meeting%20these%20three%20configuration%20requirements%2C%20your%20Autopilot%20configured%20devices%20will%20now%20honor%20the%20BitLocker%20encryption%20algorithm%20setting%20and%20will%20encrypt%20with%20your%20specified%20encryption%20algorithm.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20if%20you%20have%20any%20questions%20on%20this%20expanded%20feature%20set.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-323791%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20Intune%20provides%20a%20comprehensive%20set%20of%20configuration%20options%20to%20manage%20BitLocker%20on%20Windows%2010%20devices.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-323791%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAutopilot%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376776%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376776%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%3C%2FP%3E%3CP%3EMaybe%20I%20am%20confusing%20InstantGo%20with%20something%20else%20here%2C%20but%20what%20I%20was%20trying%20to%20say%20is%20that%20we%20have%20devices%20that%20auto-encrypt%20at%20first%20boot!%20This%20is%20at%20the%20very%20beginning%20of%20the%20OOBE%20when%20the%20user%20selects%20the%20region%2C%20so%20before%20Internet%2FAutoPilot%2FIntune%20has%20even%20been%20contacted.%20If%20that%20happens%2C%20128bit%20encryption%20is%20used%20and%20MDM%2FESP%20even%20when%20targeted%20to%20a%20device%20group%20will%20not%20be%20able%20to%20change%20it%20because%20encryption%20has%20already%20started.%20Not%20sure%20why%20some%20devices%20auto-encrypt%20that%20early%20in%20the%20process%2C%20and%20unfortunately%20there%20is%20no%20mention%20of%20this%20in%20any%20of%20the%20MS%20blogs%2Fdocs.%3C%2FP%3E%3CP%3EWe%20have%20an%20open%20case%20with%20MS%20on%20this%2C%20so%20please%20feel%20free%20to%20look%20at%20that%20if%20you%20have%20access%3A%20119030526001011%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EJan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376520%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376520%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jan.%20You're%20right%2C%20InstantGo%20devices%20will%20automatically%20enable%20device%20encryption%20on%20Azure%20AD%20Join.%20Per%20this%20blog%20post%2C%20if%20you're%20using%20Autopilot%20and%20target%20the%20configuration%20correctly%20(to%20a%20device%20group%2C%20ESP%2C%20etc)%2C%20the%20policy%20is%20received%20by%20the%20client%20early%20enough%20before%20auto%20encryption%20starts.%20This%20means%20the%20256-bit%20encryption%20requirement%20will%20be%20honored%20when%20auto%20encryption%20begins.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20that%20helps%20clear%20it%20up.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMatt%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369904%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369904%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20blog%20post%20states%20that%20'%3CEM%3ETo%20help%20improve%20this%20experience%2C%20we%20made%20some%20changes%20to%20the%20Windows%20Autopilot%20build%20process%20that%20enables%20Windows%20to%20consume%20the%20IT%20administrator%E2%80%99s%20MDM%20settings%20before%20automatic%20encryption%20is%20started.%3C%2FEM%3E'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20my%20understanding%20(and%20that%20of%20the%20Microsoft%20engineer%20working%20on%20a%20case%20on%20this%20exact%20question)%20that%20most%20modern%20hardware%20(InstantGo)%20will%20start%20automatic%20encryption%20with%20128bit%20when%20the%20PC%20first%20boots%20up%2C%20right%20at%20the%20start%20of%20OOBE.%26nbsp%3BThis%20is%20before%20any%20of%20the%20MDM%20settings%20can%20be%20applied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20explain%20how%20we%20can%20enforce%20256bit%20encryption%20using%20MDM%20settings%20and%20the%20ESP%20as%20described%20in%20this%20blog%20post%20for%20those%20'modern'%20devices%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354530%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354530%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Intune%20Support%20Team%2C%20I%20am%20looking%20for%20some%20confirmation%20that%20in%20order%20to%20enforce%20256bit%20encryption%2C%20the%20Bitlocker%20policy%20needs%20to%20be%20assigned%20to%20a%20DEVICE%20group%20and%20not%20a%20USER%20group%20to%20make%20sure%20it%20gets%20pulled%20down%20early%20enough%20during%20the%20ESP.%20This%20blog%20post%20is%20the%20only%20place%20where%20I%20have%20been%20able%20to%20find%20any%20reference%20for%20this%20requirement.%20If%20this%20is%20indeed%20required%2C%20my%20plan%20is%20to%20target%20the%20policy%20to%20the%20same%20AAD%20device%20groups%20that%20I%20use%20to%20assign%20the%20AutoPilot%20profiles.%20You%20mention%20to%20target%20the%20'Autopilot%20group%20of%20devices'%2C%20which%20I%20read%20to%20be%20the%20same%20approach.%20Any%20confirmation%20or%20link%20to%20additional%20information%20on%20this%20topic%20would%20be%20greatly%20appreciated.%20Thanks%2C%20Jan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%3A%20I%20feel%20that%20Oliver%20K.%20Has%20been%20able%20to%20answer%20my%20question%20about%20DEVICE%20vs.%20USER%20targeting%20in%20the%20comments%20section%20of%20his%20blog%20post%26nbsp%3B%26nbsp%3B%40%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foliverkieselbach.com%2F2018%2F10%2F23%2Fenabling-bitlocker-on-non-hsti-devices-with-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foliverkieselbach.com%2F2018%2F10%2F23%2Fenabling-bitlocker-on-non-hsti-devices-with-intune%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-339870%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-339870%22%20slang%3D%22en-US%22%3E%3CP%3ECertain%20this%20is%20in%20doc's%2C%20but%20quoting%20directly%20from%20one%20of%20our%20Intune%20experts%2C%20Courtenay%20Bernier-%20%22%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'Segoe%20UI'%2CTahoma%2CArial%2C'Helvetica%20Neue'%2CHelvetica%2CSans-Serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EBeginning%20with%20Windows%2010%20Creators%20Update%20(1703)%20BitLocker%20can%20also%20be%20managed%20and%20enabled%20with%20Microsoft%20Intune%20by%20using%20%3C%2FSPAN%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%2323527c%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20outline-color%3A%20invert%3B%20outline-style%3A%20none%3B%20outline-width%3A%200px%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fconfiguration-service-provider-reference%23a-href-idnewcspsanew-csps-added-in-windows-10-version-1703%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfiguration%20Service%20Provider%20(CSP)%3C%2FA%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'Segoe%20UI'%2CTahoma%2CArial%2C'Helvetica%20Neue'%2CHelvetica%2CSans-Serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20settings.%26nbsp%3B%20Note%3A%20Windows%20Business%2FEnterprise%2FEducation%20is%20required.%3C%2FSPAN%3E%22%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fcbernier%2F2017%2F07%2F11%2Fwindows-10-intune-windows-bitlocker-management-yes%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fcbernier%2F2017%2F07%2F11%2Fwindows-10-intune-windows-bitlocker-management-yes%2F%3C%2FA%3E%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-339397%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-339397%22%20slang%3D%22en-US%22%3E%3CP%3EQuestion%20for%20me.%20%26nbsp%3B%26nbsp%3BWindows%2010%20October%202018%20Update%20ties%20back%20to%201809%20build.%20%26nbsp%3B%20We%20have%20several%20devices%20on%201809%20that%20are%20Hybrid%20DJ%20in%20AutoPilot%20yet%20the%20Bitlocker%20is%20now%20kicking%20off%20automatically.%20%26nbsp%3B%20Is%20there%20a%20dependency%20that%20is%20also%20tied%20to%20Win10%20being%20on%20Enterprise%20vs%20Pro%3F%20%26nbsp%3B%20Reason%20why%20it%20would%20not%20be%20running%20automatically.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-541779%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541779%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222891%22%20target%3D%22_blank%22%3E%40Jan%20Gutjahr%3C%2FA%3E%26nbsp%3B%2C%20was%20this%20ever%20resolved%20for%20you%3F%20We%20have%20been%20struggling%20with%20the%20same%20issue%20for%20months%20now%20and%20have%20multiple%20MS%20support%20tickets%20open.%20Our%20entire%20Auto%20Pilot%20program%20has%20come%20to%20a%20screeching%20halt%20because%20of%20this.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180368%22%20target%3D%22_blank%22%3E%40Matt%20Shadbolt%3C%2FA%3E%26nbsp%3Bif%20you%20have%20any%20other%20info%20on%20checking%20settings%20or%20things%20to%20look%20out%20for%2C%20we%20would%20appreciate%20it.%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-547906%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-547906%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F69299%22%20target%3D%22_blank%22%3E%40Asif%20Mahmud%3C%2FA%3E%2C%20we%20have%20been%20told%20by%20MS%20that%20'the%20fix%20will%20be%20part%20of%20May%20End%20Windows%20Update'.%20As%20a%20temporary%20workaround%2C%20they%20have%20suggested%20to%20disconnect%20the%20power%20adapter%20on%20first%20boot%20as%20that%20may%20prevent%20Bitlocker%20from%20auto-encrypting.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-715870%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-715870%22%20slang%3D%22en-US%22%3E%3CP%3EEven%20after%20enabling%20all%20these%20settings%2C%20if%20you%20still%20find%20that%20the%20device%20is%20getting%20encrypted%20with%20128%20bit.%20Make%20sure%2C%20you%20create%20a%20Device%20Restriction%20policy%20and%20configure%20this%20setting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIntune%26gt%3B%20Device%20Configuration%20%26gt%3B%20Create%20a%20new%20policy%20%26gt%3B%20Windows%2010%20and%20later%20%26gt%3B%20Device%20restrictions%20%26gt%3B%20Password%20%26gt%3B%20Automatic%20encryption%20during%20AADJ%20%26gt%3B%20Block%20%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-748562%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-748562%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%20Followed%20the%20article%20steps%20and%20partially%20works.%20The%20machine%20goes%20through%20the%20autopilot%20process%20and%20encrypts%20with%20AES-256%2C%20but%20the%20device%20has%20an%20additional%20device%20configuration%20profile%20attached%20with%20User%20Principal%20Name%20%22System%20Account%22%20in%20error%20state.%26nbsp%3B%20This%20makes%20the%20machine%20not%20compliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299773%22%20target%3D%22_blank%22%3E%40HimanshuIntune%3C%2FA%3E%26nbsp%3BFollowed%20your%20instruction%20on%20creating%20another%20device%20restriction%20policy%20to%20block%20AADJ%20automatic%20encryption.%26nbsp%3B%20This%20partially%20works.%26nbsp%3B%20It%20blocks%20the%20device%20from%20encrypting%20during%20AADJ%2C%20but%20the%20machine%20didn't%20auto%20encrypt%20during%20the%20user%20setup%20phase.%26nbsp%3B%20Once%20into%20the%20machine%20I%20cannot%20turn%20on%20encryption%20on%20the%20new%20Windows%2010%20setting%20page.%26nbsp%3B%20I%20had%20to%20use%20the%20Manage%20BitLocker%20page%20to%20encrypt%20the%20device.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETested%20with%20windows%201809%20and%201903.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-784972%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-784972%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374325%22%20target%3D%22_blank%22%3E%40kensoom%3C%2FA%3E%2C%20If%20you%20continue%20facing%20an%20issue%20with%20the%20Device%20Configuration%20profile%20not%20deploying%20as%20expected%2C%20please%20open%20a%20support%20case%20via%20the%20Intune%20Admin%20console's%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fget-support%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHelp%20and%20Support%3C%2FA%3E.%20Our%20support%20team%20would%20be%20happy%20to%20further%20assist%20with%20resolving%20your%20issue.%20Feel%20free%20to%20direct%20message%20us%20with%20your%20support%20case%20number%20for%20follow%20up!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-784985%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-784985%22%20slang%3D%22en-US%22%3E%3CP%3EUsing%201903%20with%20latest%20updates%20seems%20to%20have%20finally%20resolved%20this%20issue%20for%20us.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E

By Matt Shadbolt | Intune Sr. Program Manager

 

Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices, October 2018 update.

 

One such setting allows the IT Administrator to set the BitLocker encryption algorithm. The BitLocker encryption algorithm is used when BitLocker is first enabled and sets the strength to which full volume encryption should occur. An IT Administrator can set this algorithm to AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption.

 

By default, Windows 10 will encrypt a drive with XTS-AES 128-bit encryption. Encryption can be enabled on unencrypted Windows 10 PCs using MDM policy, such as when the device becomes Azure AD Joined (AADJ).

 

When a Windows 10 device runs through the Out Of Box Experience (OOBE), and an AADJ occurs during OOBE, BitLocker may be automatically enabled on modern hardware with the default XTS-128-bit encryption algorithm before the Intune MDM policy is processed and the IT administrator’s configuration is applied.

 

This causes a situation whereby the BitLocker disk encryption does not meet the IT administrator’s defined requirements in Intune.

 

bitlocker_blogpost.png

 

Microsoft Intune recently made some UI changes to call out that these settings only apply at first encryption. To help improve this experience, we made some changes to the Windows Autopilot build process that enables Windows to consume the IT administrator’s MDM settings before automatic encryption is started.

 

From Windows 10 October 2018 Update, the BitLocker encryption algorithm can be changed during an Autopilot build. To achieve this, you need to configure the following:

  1. Configure the encryption method settings in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
  2. Target the encryption method policy to your Autopilot group of devices. This is required as the policy needs to be processed as a device targeted policy, not a user targeted policy.
  3. Enable the Autopilot Enrollment Status Page (ESP) for your users/devices. This is required because if the ESP is not enabled, the policy will not apply before encryption starts.

By meeting these three configuration requirements, your Autopilot configured devices will now honor the BitLocker encryption algorithm setting and will encrypt with your specified encryption algorithm.

 

Let us know if you have any questions on this expanded feature set. 

12 Comments
New Contributor

Question for me.   Windows 10 October 2018 Update ties back to 1809 build.   We have several devices on 1809 that are Hybrid DJ in AutoPilot yet the Bitlocker is now kicking off automatically.   Is there a dependency that is also tied to Win10 being on Enterprise vs Pro?   Reason why it would not be running automatically.

Certain this is in doc's, but quoting directly from one of our Intune experts, Courtenay Bernier- "Beginning with Windows 10 Creators Update (1703) BitLocker can also be managed and enabled with Microsoft Intune by using Configuration Service Provider (CSP) settings.  Note: Windows Business/Enterprise/Education is required.https://blogs.technet.microsoft.com/cbernier/2017/07/11/windows-10-intune-windows-bitlocker-manageme... 

Occasional Contributor

Hi Intune Support Team, I am looking for some confirmation that in order to enforce 256bit encryption, the Bitlocker policy needs to be assigned to a DEVICE group and not a USER group to make sure it gets pulled down early enough during the ESP. This blog post is the only place where I have been able to find any reference for this requirement. If this is indeed required, my plan is to target the policy to the same AAD device groups that I use to assign the AutoPilot profiles. You mention to target the 'Autopilot group of devices', which I read to be the same approach. Any confirmation or link to additional information on this topic would be greatly appreciated. Thanks, Jan

 

Update: I feel that Oliver K. Has been able to answer my question about DEVICE vs. USER targeting in the comments section of his blog post  @ 

https://oliverkieselbach.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune

Occasional Contributor

The blog post states that 'To help improve this experience, we made some changes to the Windows Autopilot build process that enables Windows to consume the IT administrator’s MDM settings before automatic encryption is started.'

 

It is my understanding (and that of the Microsoft engineer working on a case on this exact question) that most modern hardware (InstantGo) will start automatic encryption with 128bit when the PC first boots up, right at the start of OOBE. This is before any of the MDM settings can be applied.

 

Can you please explain how we can enforce 256bit encryption using MDM settings and the ESP as described in this blog post for those 'modern' devices?

Microsoft

Hi Jan. You're right, InstantGo devices will automatically enable device encryption on Azure AD Join. Per this blog post, if you're using Autopilot and target the configuration correctly (to a device group, ESP, etc), the policy is received by the client early enough before auto encryption starts. This means the 256-bit encryption requirement will be honored when auto encryption begins. 

Hope that helps clear it up. 

Matt 

Occasional Contributor

Hi Matt,

Maybe I am confusing InstantGo with something else here, but what I was trying to say is that we have devices that auto-encrypt at first boot! This is at the very beginning of the OOBE when the user selects the region, so before Internet/AutoPilot/Intune has even been contacted. If that happens, 128bit encryption is used and MDM/ESP even when targeted to a device group will not be able to change it because encryption has already started. Not sure why some devices auto-encrypt that early in the process, and unfortunately there is no mention of this in any of the MS blogs/docs.

We have an open case with MS on this, so please feel free to look at that if you have access: 119030526001011

Regards,

Jan

Senior Member

Hi @Jan Gutjahr , was this ever resolved for you? We have been struggling with the same issue for months now and have multiple MS support tickets open. Our entire Auto Pilot program has come to a screeching halt because of this. @Matt Shadbolt if you have any other info on checking settings or things to look out for, we would appreciate it. Thanks

Occasional Contributor
Hi @Asif Mahmud, we have been told by MS that 'the fix will be part of May End Windows Update'. As a temporary workaround, they have suggested to disconnect the power adapter on first boot as that may prevent Bitlocker from auto-encrypting.
Microsoft

Even after enabling all these settings, if you still find that the device is getting encrypted with 128 bit. Make sure, you create a Device Restriction policy and configure this setting.

 

Intune> Device Configuration > Create a new policy > Windows 10 and later > Device restrictions > Password > Automatic encryption during AADJ > Block

Occasional Visitor

@Intune Support Team  Followed the article steps and partially works. The machine goes through the autopilot process and encrypts with AES-256, but the device has an additional device configuration profile attached with User Principal Name "System Account" in error state.  This makes the machine not compliance.

 

@HimanshuIntune Followed your instruction on creating another device restriction policy to block AADJ automatic encryption.  This partially works.  It blocks the device from encrypting during AADJ, but the machine didn't auto encrypt during the user setup phase.  Once into the machine I cannot turn on encryption on the new Windows 10 setting page.  I had to use the Manage BitLocker page to encrypt the device.  

 

Tested with windows 1809 and 1903.

Hi @kensoom, If you continue facing an issue with the Device Configuration profile not deploying as expected, please open a support case via the Intune Admin console's Help and Support. Our support team would be happy to further assist with resolving your issue. Feel free to direct message us with your support case number for follow up!

Senior Member

Using 1903 with latest updates seems to have finally resolved this issue for us.