Home

BitLocker Encryption Policy for AutoPilot Devices (Windows 10 1809)

%3CLINGO-SUB%20id%3D%22lingo-sub-291187%22%20slang%3D%22en-US%22%3EBitLocker%20Encryption%20Policy%20for%20AutoPilot%20Devices%20(Windows%2010%201809)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291187%22%20slang%3D%22en-US%22%3E%3CP%3EAccording%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwhats-new%2Fwhats-new-windows-10-version-1809%23security-improvements%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat's%20new%20in%20Windows%2010%201809%3C%2FA%3E%20the%20following%20functionality%20is%20available.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3E%3CSTRONG%3EYou%20can%20choose%20which%20encryption%20algorithm%20to%20apply%20automatic%20BitLocker%20encryption%20to%20capable%20devices%2C%20rather%20than%20automatically%20having%20those%20devices%20encrypt%20themselves%20with%20the%20default%20algorithm.%20This%20allows%20the%20encryption%20algorithm%20(and%20other%20BitLocker%20policies%20that%20must%20be%20applied%20prior%20to%20encryption)%2C%20to%20be%20delivered%20before%20automatic%20BitLocker%20encryption%20begins.%3C%2FSTRONG%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3E%3CSTRONG%3EFor%20example%2C%20you%20can%20choose%20the%20XTS-AES%20256%20encryption%20algorithm%2C%20and%20have%20it%20applied%20to%20devices%20that%20would%20normally%20encrypt%20themselves%20automatically%20with%20the%20default%20XTS-AES%20128%20algorithm%20during%20OOBE.%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBitLocker%20encryption%20with%20AES-256%20is%20a%20security%20requirement%20for%20one%20of%20the%20organizations%20that%20I%20consult%20for%2C%20so%20I%20was%20interested%20in%20getting%20this%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESeveral%20months%20of%20experiments%2C%20a%20Microsoft%20Premier%20Support%20call%20and%20a%20%3CA%20href%3D%22https%3A%2F%2Fosddeployment.dk%2F2018%2F11%2F18%2Fhow-to-delivering-bitlocker-policy-to-autopilot-devices-to-set-256-bit-encryption%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPer%20Larson%20blog%20post%3C%2FA%3E%20later%20I%20have%20finally%20managed%20to%20get%20BitLocker%20policies%20to%20apply%20correctly%20during%20AutoPilot%20OOBE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20recipe%20that%20you%20need%20to%20get%20bitLocker%20CSP%20Policy%20to%20apply%20on%20Windows%2010%201809.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ECreate%20a%20brand%20new%20Windows%2010%20EndPoint%20Protection%20policy%20(Important%20-%20Settings%20do%20not%20work%20if%20applied%20using%20with%20an%20existing%20policy)%3C%2FLI%3E%3CLI%3EApply%20the%20BitLocker%20encryption%20policy%20settings%20that%20you%20want%3C%2FLI%3E%3CLI%3EMake%20sure%20that%20the%20%3CEM%3E%3CSTRONG%3EEncrypt%20Device%3C%2FSTRONG%3E%3C%2FEM%3E%20setting%20is%20set%20to%20%3CEM%3E%3CSTRONG%3ENot%20Configured%3C%2FSTRONG%3E%3C%2FEM%3E%20(Important!)%3C%2FLI%3E%3CLI%3EMake%20sure%20that%20the%20OS%20Drive%20Additional%20authentication%20settings%20are%20set%20to%20values%20compatible%20with%20HSTI%2FOOBE%20BitLocker%3C%2FLI%3E%3CLI%3ECreate%20a%20new%20Azure%20AD%20Group%3C%2FLI%3E%3CLI%3EAdd%20the%20devices%20that%20you%20are%20targeting%20for%20AutoPilot%20to%20the%20Azure%20AD%20Group%3C%2FLI%3E%3CLI%3EMake%20sure%20that%20the%20Windows%2010%20OOBE%20Status%20page%20is%20enabled%20for%20all%20AutoPilot%20devices%3C%2FLI%3E%3CLI%3EAutoPilot%20away!%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20following%20caveats%20apply%3C%2FP%3E%3CUL%3E%3CLI%3EYou%20need%20Windows%2010%201809%3C%2FLI%3E%3CLI%3EThe%20hardware%20has%20to%20be%20HSTI%2FInstantGo%20compatible%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20have%20attached%20the%20settings%20that%20I%20used%20to%20successfully%20encrypt%20devices%20but%20other%20settings%20may%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20key%20settings%20is%20%3CEM%3E%3CSTRONG%3EEncrypt%20Device%3A%20Not%20Configured%3C%2FSTRONG%3E%3C%2FEM%3E.%20I%20started%20experimenting%20with%20the%20BitLocker%20settings%20in%20August%20using%20Insider%20preview%20versions%20of%20Windows%2010%201809%20but%20my%20experiments%20were%20unsuccessful%20because%20I%20set%20the%20%3CEM%3E%3CSTRONG%3EEncrypt%20Device%3C%2FSTRONG%3E%3C%2FEM%3E%20setting%20to%20%3CEM%3E%3CSTRONG%3ERequired%3C%2FSTRONG%3E%3C%2FEM%3E.%20It%20was%20only%20when%20I%20saw%20%3CA%20href%3D%22https%3A%2F%2Fosddeployment.dk%2F2018%2F11%2F18%2Fhow-to-delivering-bitlocker-policy-to-autopilot-devices-to-set-256-bit-encryption%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPer%20Larson's%20Blog%20post%3C%2FA%3E%20that%20I%20realized%20that%20the%20BitLocker%20settings%20for%20AutoPilot%20devices%20need%20to%20be%20different%20from%20regular%20devices.%20Microsoft%20Support%20were%20unable%20to%20clarify%20why%20the%20setting%20%3CEM%3E%3CSTRONG%3EEncrypt%20Device%3C%2FSTRONG%3E%3C%2FEM%3E%20setting%26nbsp%3B%20to%20%3CEM%3E%3CSTRONG%3ERequired%3C%2FSTRONG%3E%3C%2FEM%3E%20broke%20the%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20important%20consideration%20is%20that%20if%20you%20apply%20this%20policy%20to%20all%20devices%2C%20and%20some%20devices%20do%20not%20auto-encrypt%20then%20you%20will%20have%20un-encrypted%20devices%20floating%20around.%20You%20can%20tackle%20this%20with%20Compliance%20Policy%20but%20the%20end%20users%20do%20not%20get%20a%20great%20user%20experience.%20I%20am%20handling%20un-encrypted%20devices%20with%20a%20combination%20of%20a%20deploy%20script%20that%20checks%20whether%20enables%20encryption%20manually%20if%20necessary%20and%20a%20Compliance%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-291187%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ebitlocker%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308424%22%20slang%3D%22en-US%22%3ERe%3A%20BitLocker%20Encryption%20Policy%20for%20AutoPilot%20Devices%20(Windows%2010%201809)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308424%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20%22%3CSPAN%3EWindows%2010%20OOBE%20Status%20page%3C%2FSPAN%3E%22%20you%20mean%20the%20Enrollment%20Page%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-293964%22%20slang%3D%22en-US%22%3ERe%3A%20BitLocker%20Encryption%20Policy%20for%20AutoPilot%20Devices%20(Windows%2010%201809)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-293964%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20testing%20was%20on%20windows%2010%20Enterprise.%20In%20my%20experience%20Windows%2010%20Enterprise%20is%20a%20requirement%20for%20Intune%20managed%20Windows%2010%20because%20key%20security%20settings%20are%20enterprise%20edition%20only.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20you%20tried%20applying%20the%20standard%20user%20encryption%20setting%20as%20a%20Custom%20policy%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-293744%22%20slang%3D%22en-US%22%3ERe%3A%20BitLocker%20Encryption%20Policy%20for%20AutoPilot%20Devices%20(Windows%2010%201809)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-293744%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20automatic%20Bitlocker%20encryption%20under%20a%20standard%20user%20account%20doesn't%20seem%20to%20work%20for%20Windows%2010%20Pro.%20The%20AllowWarningForOtherDiskEncryption%26nbsp%3B%20policy%20is%20not%20supported%20by%20Windows%2010%20Pro%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fwindows%2Fclient-management%2Fmdm%2Fbitlocker-csp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fwindows%2Fclient-management%2Fmdm%2Fbitlocker-csp%3C%2FA%3E%3C%2FP%3E%3CP%3E(even%20though%20the%20AllowStandardUserEncryption%20is%20supported%20by%20Windows%2010%20Pro)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-431796%22%20slang%3D%22en-US%22%3ERe%3A%20BitLocker%20Encryption%20Policy%20for%20AutoPilot%20Devices%20(Windows%2010%201809)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431796%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3B%20Is%20there%20a%20way%20to%20convert%201803%20Win10%20Pro%2FEnt%20computers%20from%20AES128%20to%20AES256%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-431920%22%20slang%3D%22en-US%22%3ERe%3A%20BitLocker%20Encryption%20Policy%20for%20AutoPilot%20Devices%20(Windows%2010%201809)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431920%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F304484%22%20target%3D%22_blank%22%3E%40AliGomaa%3C%2FA%3EYes%20-%20but%20it's%20a%20custom%20PowerShell%20script.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20have%20to%20decrypt%20the%20drive%20then%20re-encrypt.%20A%20number%20of%20the%20blogs%20have%20posted%20sample%20scripts%20to%20resolve%20this%20problem.%3CBR%20%2F%3E%3CBR%20%2F%3EFYI%20-%20I%20did%20a%20new%20deployment%20of%20BitLocker%20on%20Windows%201809%20and%20the%20AES256%20policy%20settings%20were%20respected%20during%20AutoPilot.%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F304484%22%20target%3D%22_blank%22%3E%40AliGomaa%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3B%20Is%20there%20a%20way%20to%20convert%201803%20Win10%20Pro%2FEnt%20computers%20from%20AES128%20to%20AES256%3F%26nbsp%3B%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432884%22%20slang%3D%22en-US%22%3ERe%3A%20BitLocker%20Encryption%20Policy%20for%20AutoPilot%20Devices%20(Windows%2010%201809)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432884%22%20slang%3D%22en-US%22%3EThank%20you%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-866732%22%20slang%3D%22en-US%22%3ERe%3A%20BitLocker%20Encryption%20Policy%20for%20AutoPilot%20Devices%20(Windows%2010%201809)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-866732%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20someone%20confirm%20is%20this%20still%20the%20same%20with%20Windows%2010%201903%20that%26nbsp%3B%3CSTRONG%3EEncrypt%20Device%26nbsp%3B%3C%2FSTRONG%3Eshould%20be%26nbsp%3B%3CSTRONG%3ENot%20Configured%20%3F%26nbsp%3B%3C%2FSTRONG%3Ethis%20is%20very%20confusing%20set%20to%20define%20right%20Bitlocker%20settings%20with%20Intune...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Andrew Matthews
Contributor

According to the What's new in Windows 10 1809 the following functionality is available.

You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins.

For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.

 

BitLocker encryption with AES-256 is a security requirement for one of the organizations that I consult for, so I was interested in getting this to work.

 

Several months of experiments, a Microsoft Premier Support call and a Per Larson blog post later I have finally managed to get BitLocker policies to apply correctly during AutoPilot OOBE.

 

Here is the recipe that you need to get bitLocker CSP Policy to apply on Windows 10 1809.

 

  • Create a brand new Windows 10 EndPoint Protection policy (Important - Settings do not work if applied using with an existing policy)
  • Apply the BitLocker encryption policy settings that you want
  • Make sure that the Encrypt Device setting is set to Not Configured (Important!)
  • Make sure that the OS Drive Additional authentication settings are set to values compatible with HSTI/OOBE BitLocker
  • Create a new Azure AD Group
  • Add the devices that you are targeting for AutoPilot to the Azure AD Group
  • Make sure that the Windows 10 OOBE Status page is enabled for all AutoPilot devices
  • AutoPilot away!

The following caveats apply

  • You need Windows 10 1809
  • The hardware has to be HSTI/InstantGo compatible

I have attached the settings that I used to successfully encrypt devices but other settings may work.

 

The key settings is Encrypt Device: Not Configured. I started experimenting with the BitLocker settings in August using Insider preview versions of Windows 10 1809 but my experiments were unsuccessful because I set the Encrypt Device setting to Required. It was only when I saw Per Larson's Blog post that I realized that the BitLocker settings for AutoPilot devices need to be different from regular devices. Microsoft Support were unable to clarify why the setting Encrypt Device setting  to Required broke the policy.

 

One important consideration is that if you apply this policy to all devices, and some devices do not auto-encrypt then you will have un-encrypted devices floating around. You can tackle this with Compliance Policy but the end users do not get a great user experience. I am handling un-encrypted devices with a combination of a deploy script that checks whether enables encryption manually if necessary and a Compliance policy.

7 Replies

The automatic Bitlocker encryption under a standard user account doesn't seem to work for Windows 10 Pro. The AllowWarningForOtherDiskEncryption  policy is not supported by Windows 10 Pro: https://docs.microsoft.com/nl-nl/windows/client-management/mdm/bitlocker-csp

(even though the AllowStandardUserEncryption is supported by Windows 10 Pro)

 

My testing was on windows 10 Enterprise. In my experience Windows 10 Enterprise is a requirement for Intune managed Windows 10 because key security settings are enterprise edition only.

 

Have you tried applying the standard user encryption setting as a Custom policy?

With the "Windows 10 OOBE Status page" you mean the Enrollment Page?

@Andrew Matthews  Is there a way to convert 1803 Win10 Pro/Ent computers from AES128 to AES256? 

@AliGomaaYes - but it's a custom PowerShell script.

 

You have to decrypt the drive then re-encrypt. A number of the blogs have posted sample scripts to resolve this problem.

FYI - I did a new deployment of BitLocker on Windows 1809 and the AES256 policy settings were respected during AutoPilot.


@AliGomaa wrote:

@Andrew Matthews  Is there a way to convert 1803 Win10 Pro/Ent computers from AES128 to AES256? 




Hello,

 

Could someone confirm is this still the same with Windows 10 1903 that Encrypt Device should be Not Configured ? this is very confusing set to define right Bitlocker settings with Intune...

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies