Setting 256-bit encryption for BitLocker during Autopilot with the Windows 10 October 2018 Update

Published Jan 22 2019 09:20 AM 17K Views

By Matt Shadbolt | Intune Sr. Program Manager

 

Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices, October 2018 update.

 

One such setting allows the IT Administrator to set the BitLocker encryption algorithm. The BitLocker encryption algorithm is used when BitLocker is first enabled and sets the strength to which full volume encryption should occur. An IT Administrator can set this algorithm to AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption.

 

By default, Windows 10 will encrypt a drive with XTS-AES 128-bit encryption. Encryption can be enabled on unencrypted Windows 10 PCs using MDM policy, such as when the device becomes Azure AD Joined (AADJ).

 

When a Windows 10 device runs through the Out Of Box Experience (OOBE), and an AADJ occurs during OOBE, BitLocker may be automatically enabled on modern hardware with the default XTS-128-bit encryption algorithm before the Intune MDM policy is processed and the IT administrator’s configuration is applied.

 

This causes a situation whereby the BitLocker disk encryption does not meet the IT administrator’s defined requirements in Intune.

 

bitlocker_blogpost.png

 

Microsoft Intune recently made some UI changes to call out that these settings only apply at first encryption. To help improve this experience, we made some changes to the Windows Autopilot build process that enables Windows to consume the IT administrator’s MDM settings before automatic encryption is started.

 

From Windows 10 October 2018 Update, the BitLocker encryption algorithm can be changed during an Autopilot build. To achieve this, you need to configure the following:

  1. Configure the encryption method settings in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
  2. Target the encryption method policy to your Autopilot group of devices. This is required as the policy needs to be processed as a device targeted policy, not a user targeted policy.
  3. Enable the Autopilot Enrollment Status Page (ESP) for your users/devices. This is required because if the ESP is not enabled, the policy will not apply before encryption starts.

By meeting these three configuration requirements, your Autopilot configured devices will now honor the BitLocker encryption algorithm setting and will encrypt with your specified encryption algorithm.

 

Let us know if you have any questions on this expanded feature set. 

15 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-323791%22%20slang%3D%22en-US%22%3ESetting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-323791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%20Matt%20Shadbolt%20%7C%20Intune%20Sr.%20Program%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20Intune%20provides%20a%20comprehensive%20set%20of%20configuration%20options%20to%20manage%20BitLocker%20on%20Windows%2010%20devices%2C%20October%202018%20update.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOne%20such%20setting%20allows%20the%20IT%20Administrator%20to%20set%20the%20BitLocker%20encryption%20algorithm.%20The%20BitLocker%20encryption%20algorithm%20is%20used%20when%20BitLocker%20is%20first%20enabled%20and%20sets%20the%20strength%20to%20which%20full%20volume%20encryption%20should%20occur.%20An%20IT%20Administrator%20can%20set%20this%20algorithm%20to%20AES-CBC%20128-bit%2C%20AES-CBC%20256-bit%2C%20XTS-AES%20128-bit%20or%20XTS-AES%20256-bit%20encryption.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20default%2C%20Windows%2010%20will%20encrypt%20a%20drive%20with%20XTS-AES%20128-bit%20encryption.%20Encryption%20can%20be%20enabled%20on%20unencrypted%20Windows%2010%20PCs%20using%20MDM%20policy%2C%20such%20as%20when%20the%20device%20becomes%20Azure%20AD%20Joined%20(AADJ).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20a%20Windows%2010%20device%20runs%20through%20the%20Out%20Of%20Box%20Experience%20(OOBE)%2C%20and%20an%20AADJ%20occurs%20during%20OOBE%2C%20BitLocker%20may%20be%20automatically%20enabled%20on%20modern%20hardware%20with%20the%20default%20XTS-128-bit%20encryption%20algorithm%20before%20the%20Intune%20MDM%20policy%20is%20processed%20and%20the%20IT%20administrator%E2%80%99s%20configuration%20is%20applied.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20causes%20a%20situation%20whereby%20the%20BitLocker%20disk%20encryption%20does%20not%20meet%20the%20IT%20administrator%E2%80%99s%20defined%20requirements%20in%20Intune.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20439px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F70631iEC84046850D3871D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22bitlocker_blogpost.png%22%20title%3D%22bitlocker_blogpost.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20Intune%20recently%20made%20some%20UI%20changes%20to%20call%20out%20that%20these%20settings%20only%20apply%20at%20first%20encryption.%20To%20help%20improve%20this%20experience%2C%20we%20made%20some%20changes%20to%20the%20Windows%20Autopilot%20build%20process%20that%20enables%20Windows%20to%20consume%20the%20IT%20administrator%E2%80%99s%20MDM%20settings%20before%20automatic%20encryption%20is%20started.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20Windows%2010%20October%202018%20Update%2C%20the%20BitLocker%20encryption%20algorithm%20can%20be%20changed%20during%20an%20Autopilot%20build.%20To%20achieve%20this%2C%20you%20need%20to%20configure%20the%20following%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EConfigure%20the%20encryption%20method%20settings%20in%20the%20Windows%2010%20Endpoint%20Protection%20profile%20to%20the%20desired%20encryption%20algorithm.%3C%2FLI%3E%0A%3CLI%3ETarget%20the%20encryption%20method%20policy%20to%20your%20Autopilot%20group%20of%20devices.%20This%20is%20required%20as%20the%20policy%20needs%20to%20be%20processed%20as%20a%20device%20targeted%20policy%2C%20not%20a%20user%20targeted%20policy.%3C%2FLI%3E%0A%3CLI%3EEnable%20the%20Autopilot%20Enrollment%20Status%20Page%20(ESP)%20for%20your%20users%2Fdevices.%20This%20is%20required%20because%20if%20the%20ESP%20is%20not%20enabled%2C%20the%20policy%20will%20not%20apply%20before%20encryption%20starts.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EBy%20meeting%20these%20three%20configuration%20requirements%2C%20your%20Autopilot%20configured%20devices%20will%20now%20honor%20the%20BitLocker%20encryption%20algorithm%20setting%20and%20will%20encrypt%20with%20your%20specified%20encryption%20algorithm.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20if%20you%20have%20any%20questions%20on%20this%20expanded%20feature%20set.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-323791%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20Intune%20provides%20a%20comprehensive%20set%20of%20configuration%20options%20to%20manage%20BitLocker%20on%20Windows%2010%20devices.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-323791%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAutopilot%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376776%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376776%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%3C%2FP%3E%3CP%3EMaybe%20I%20am%20confusing%20InstantGo%20with%20something%20else%20here%2C%20but%20what%20I%20was%20trying%20to%20say%20is%20that%20we%20have%20devices%20that%20auto-encrypt%20at%20first%20boot!%20This%20is%20at%20the%20very%20beginning%20of%20the%20OOBE%20when%20the%20user%20selects%20the%20region%2C%20so%20before%20Internet%2FAutoPilot%2FIntune%20has%20even%20been%20contacted.%20If%20that%20happens%2C%20128bit%20encryption%20is%20used%20and%20MDM%2FESP%20even%20when%20targeted%20to%20a%20device%20group%20will%20not%20be%20able%20to%20change%20it%20because%20encryption%20has%20already%20started.%20Not%20sure%20why%20some%20devices%20auto-encrypt%20that%20early%20in%20the%20process%2C%20and%20unfortunately%20there%20is%20no%20mention%20of%20this%20in%20any%20of%20the%20MS%20blogs%2Fdocs.%3C%2FP%3E%3CP%3EWe%20have%20an%20open%20case%20with%20MS%20on%20this%2C%20so%20please%20feel%20free%20to%20look%20at%20that%20if%20you%20have%20access%3A%20119030526001011%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EJan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376520%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376520%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jan.%20You're%20right%2C%20InstantGo%20devices%20will%20automatically%20enable%20device%20encryption%20on%20Azure%20AD%20Join.%20Per%20this%20blog%20post%2C%20if%20you're%20using%20Autopilot%20and%20target%20the%20configuration%20correctly%20(to%20a%20device%20group%2C%20ESP%2C%20etc)%2C%20the%20policy%20is%20received%20by%20the%20client%20early%20enough%20before%20auto%20encryption%20starts.%20This%20means%20the%20256-bit%20encryption%20requirement%20will%20be%20honored%20when%20auto%20encryption%20begins.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20that%20helps%20clear%20it%20up.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMatt%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369904%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369904%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20blog%20post%20states%20that%20'%3CEM%3ETo%20help%20improve%20this%20experience%2C%20we%20made%20some%20changes%20to%20the%20Windows%20Autopilot%20build%20process%20that%20enables%20Windows%20to%20consume%20the%20IT%20administrator%E2%80%99s%20MDM%20settings%20before%20automatic%20encryption%20is%20started.%3C%2FEM%3E'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20my%20understanding%20(and%20that%20of%20the%20Microsoft%20engineer%20working%20on%20a%20case%20on%20this%20exact%20question)%20that%20most%20modern%20hardware%20(InstantGo)%20will%20start%20automatic%20encryption%20with%20128bit%20when%20the%20PC%20first%20boots%20up%2C%20right%20at%20the%20start%20of%20OOBE.%26nbsp%3BThis%20is%20before%20any%20of%20the%20MDM%20settings%20can%20be%20applied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20explain%20how%20we%20can%20enforce%20256bit%20encryption%20using%20MDM%20settings%20and%20the%20ESP%20as%20described%20in%20this%20blog%20post%20for%20those%20'modern'%20devices%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354530%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354530%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Intune%20Support%20Team%2C%20I%20am%20looking%20for%20some%20confirmation%20that%20in%20order%20to%20enforce%20256bit%20encryption%2C%20the%20Bitlocker%20policy%20needs%20to%20be%20assigned%20to%20a%20DEVICE%20group%20and%20not%20a%20USER%20group%20to%20make%20sure%20it%20gets%20pulled%20down%20early%20enough%20during%20the%20ESP.%20This%20blog%20post%20is%20the%20only%20place%20where%20I%20have%20been%20able%20to%20find%20any%20reference%20for%20this%20requirement.%20If%20this%20is%20indeed%20required%2C%20my%20plan%20is%20to%20target%20the%20policy%20to%20the%20same%20AAD%20device%20groups%20that%20I%20use%20to%20assign%20the%20AutoPilot%20profiles.%20You%20mention%20to%20target%20the%20'Autopilot%20group%20of%20devices'%2C%20which%20I%20read%20to%20be%20the%20same%20approach.%20Any%20confirmation%20or%20link%20to%20additional%20information%20on%20this%20topic%20would%20be%20greatly%20appreciated.%20Thanks%2C%20Jan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%3A%20I%20feel%20that%20Oliver%20K.%20Has%20been%20able%20to%20answer%20my%20question%20about%20DEVICE%20vs.%20USER%20targeting%20in%20the%20comments%20section%20of%20his%20blog%20post%26nbsp%3B%26nbsp%3B%40%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foliverkieselbach.com%2F2018%2F10%2F23%2Fenabling-bitlocker-on-non-hsti-devices-with-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Foliverkieselbach.com%2F2018%2F10%2F23%2Fenabling-bitlocker-on-non-hsti-devices-with-intune%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-339870%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-339870%22%20slang%3D%22en-US%22%3E%3CP%3ECertain%20this%20is%20in%20doc's%2C%20but%20quoting%20directly%20from%20one%20of%20our%20Intune%20experts%2C%20Courtenay%20Bernier-%20%22%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'Segoe%20UI'%2CTahoma%2CArial%2C'Helvetica%20Neue'%2CHelvetica%2CSans-Serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EBeginning%20with%20Windows%2010%20Creators%20Update%20(1703)%20BitLocker%20can%20also%20be%20managed%20and%20enabled%20with%20Microsoft%20Intune%20by%20using%20%3C%2FSPAN%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%2323527c%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20outline-color%3A%20invert%3B%20outline-style%3A%20none%3B%20outline-width%3A%200px%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fconfiguration-service-provider-reference%23a-href-idnewcspsanew-csps-added-in-windows-10-version-1703%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfiguration%20Service%20Provider%20(CSP)%3C%2FA%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'Segoe%20UI'%2CTahoma%2CArial%2C'Helvetica%20Neue'%2CHelvetica%2CSans-Serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20settings.%26nbsp%3B%20Note%3A%20Windows%20Business%2FEnterprise%2FEducation%20is%20required.%3C%2FSPAN%3E%22%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fcbernier%2F2017%2F07%2F11%2Fwindows-10-intune-windows-bitlocker-management-yes%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fcbernier%2F2017%2F07%2F11%2Fwindows-10-intune-windows-bitlocker-management-yes%2F%3C%2FA%3E%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-339397%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-339397%22%20slang%3D%22en-US%22%3E%3CP%3EQuestion%20for%20me.%20%26nbsp%3B%26nbsp%3BWindows%2010%20October%202018%20Update%20ties%20back%20to%201809%20build.%20%26nbsp%3B%20We%20have%20several%20devices%20on%201809%20that%20are%20Hybrid%20DJ%20in%20AutoPilot%20yet%20the%20Bitlocker%20is%20now%20kicking%20off%20automatically.%20%26nbsp%3B%20Is%20there%20a%20dependency%20that%20is%20also%20tied%20to%20Win10%20being%20on%20Enterprise%20vs%20Pro%3F%20%26nbsp%3B%20Reason%20why%20it%20would%20not%20be%20running%20automatically.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-541779%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541779%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222891%22%20target%3D%22_blank%22%3E%40Jan%20Gutjahr%3C%2FA%3E%26nbsp%3B%2C%20was%20this%20ever%20resolved%20for%20you%3F%20We%20have%20been%20struggling%20with%20the%20same%20issue%20for%20months%20now%20and%20have%20multiple%20MS%20support%20tickets%20open.%20Our%20entire%20Auto%20Pilot%20program%20has%20come%20to%20a%20screeching%20halt%20because%20of%20this.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180368%22%20target%3D%22_blank%22%3E%40Matt%20Shadbolt%3C%2FA%3E%26nbsp%3Bif%20you%20have%20any%20other%20info%20on%20checking%20settings%20or%20things%20to%20look%20out%20for%2C%20we%20would%20appreciate%20it.%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-547906%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-547906%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F69299%22%20target%3D%22_blank%22%3E%40Asif%20Mahmud%3C%2FA%3E%2C%20we%20have%20been%20told%20by%20MS%20that%20'the%20fix%20will%20be%20part%20of%20May%20End%20Windows%20Update'.%20As%20a%20temporary%20workaround%2C%20they%20have%20suggested%20to%20disconnect%20the%20power%20adapter%20on%20first%20boot%20as%20that%20may%20prevent%20Bitlocker%20from%20auto-encrypting.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-715870%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-715870%22%20slang%3D%22en-US%22%3E%3CP%3EEven%20after%20enabling%20all%20these%20settings%2C%20if%20you%20still%20find%20that%20the%20device%20is%20getting%20encrypted%20with%20128%20bit.%20Make%20sure%2C%20you%20create%20a%20Device%20Restriction%20policy%20and%20configure%20this%20setting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIntune%26gt%3B%20Device%20Configuration%20%26gt%3B%20Create%20a%20new%20policy%20%26gt%3B%20Windows%2010%20and%20later%20%26gt%3B%20Device%20restrictions%20%26gt%3B%20Password%20%26gt%3B%20Automatic%20encryption%20during%20AADJ%20%26gt%3B%20Block%20%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-748562%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-748562%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%20Followed%20the%20article%20steps%20and%20partially%20works.%20The%20machine%20goes%20through%20the%20autopilot%20process%20and%20encrypts%20with%20AES-256%2C%20but%20the%20device%20has%20an%20additional%20device%20configuration%20profile%20attached%20with%20User%20Principal%20Name%20%22System%20Account%22%20in%20error%20state.%26nbsp%3B%20This%20makes%20the%20machine%20not%20compliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299773%22%20target%3D%22_blank%22%3E%40HimanshuIntune%3C%2FA%3E%26nbsp%3BFollowed%20your%20instruction%20on%20creating%20another%20device%20restriction%20policy%20to%20block%20AADJ%20automatic%20encryption.%26nbsp%3B%20This%20partially%20works.%26nbsp%3B%20It%20blocks%20the%20device%20from%20encrypting%20during%20AADJ%2C%20but%20the%20machine%20didn't%20auto%20encrypt%20during%20the%20user%20setup%20phase.%26nbsp%3B%20Once%20into%20the%20machine%20I%20cannot%20turn%20on%20encryption%20on%20the%20new%20Windows%2010%20setting%20page.%26nbsp%3B%20I%20had%20to%20use%20the%20Manage%20BitLocker%20page%20to%20encrypt%20the%20device.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETested%20with%20windows%201809%20and%201903.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-784972%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-784972%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374325%22%20target%3D%22_blank%22%3E%40kensoom%3C%2FA%3E%2C%20If%20you%20continue%20facing%20an%20issue%20with%20the%20Device%20Configuration%20profile%20not%20deploying%20as%20expected%2C%20please%20open%20a%20support%20case%20via%20the%20Intune%20Admin%20console's%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fget-support%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EHelp%20and%20Support%3C%2FA%3E.%20Our%20support%20team%20would%20be%20happy%20to%20further%20assist%20with%20resolving%20your%20issue.%20Feel%20free%20to%20direct%20message%20us%20with%20your%20support%20case%20number%20for%20follow%20up!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-784985%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-784985%22%20slang%3D%22en-US%22%3E%3CP%3EUsing%201903%20with%20latest%20updates%20seems%20to%20have%20finally%20resolved%20this%20issue%20for%20us.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364377%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364377%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20All%2C%20Few%20questions%20on%20128%20vs%20265%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20I%20read%20in%20some%20forums%20that%20%22Microsoft%20reduced%20their%20guidance%20in%20the%20Windows%2010%20baseline%20from%20256%20to%20128%2C%20due%20to%20performance%20on%20some%20systems%2C%20and%20the%20requirement%20to%20decrypt%20if%20moving%20to%20256.%22%20-%20Is%20this%20the%20case%3F%20I%20can%20not%20find%20any%20official%20coms.%3C%2FP%3E%3CP%3E2.%20Is%20there%20a%20way%20to%20gather%20BitLocker%20settings%20128%20vs%20256%20using%20Endpoint%20Manager%20or%20Security%20Center%3F%20Recommend%20monitoring%20option%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencryption-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencryption-monitor%3C%2FA%3E%20%22%3CSPAN%3ESelect%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3EDevices%3C%2FSTRONG%3E%3CSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%26gt%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3EMonitor%3C%2FSTRONG%3E%3CSPAN%3E%2C%20and%20then%20under%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CEM%3EConfiguration%3C%2FEM%3E%3CSPAN%3E%2C%20select%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3EEncryption%20report%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E%22%20does%20not%20provide%20details.%20Is%20there%20an%20upcoming%20improvement%20for%20this%3F%3C%2FP%3E%3CP%3E3.%20Can%20you%20please%20provide%20a%20link%20to%20Microsoft%20recommended%2Fendorsed%20process%20for%20converting%20devices%20from%20128%20to%20256%20in%20Azure%20AD%20joined%20estate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E-%20are%20you%20able%20to%20comment%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ESerg%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1608639%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608639%22%20slang%3D%22en-US%22%3E%3CP%3EEvery%20laptop%20we%20have%20in%20office%20be%20it%20a%20Surface%20Books%2C%20Dell%205580%2C%205590%2C%205501%20all%20show%20this%20error%20in%20DMAC.%20Not%20one%20device%20that%20has%20received%20this%20configuration%20profile%20has%20the%20Encrypt%20Device%20line%20item%20as%20Succeeded%2C%20always%20an%20Error.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214368iCC2D0CAD551A2BCF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1609373%22%20slang%3D%22en-US%22%3ERe%3A%20Setting%20256-bit%20encryption%20for%20BitLocker%20during%20Autopilot%20with%20the%20Windows%2010%20October%202018%20Updat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1609373%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F446404%22%20target%3D%22_blank%22%3E%40DBR14%3C%2FA%3E%26nbsp%3BHello%2C%20we%20need%20to%20first%20check%20if%20the%20issue%20is%20related%20to%20enforcement%20or%20something%20else.%20Could%20you%20please%20follow%20this%20article%20and%20check%20steps%20listed%20%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsupport-tip-troubleshooting-bitlocker-policies-in-microsoft%2Fba-p%2F863670%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsupport-tip-troubleshooting-bitlocker-policies-in-microsoft%2Fba-p%2F863670%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you%20verify%20that%20the%20correct%20registries%20and%20values%20in%20MDM%20Diagnostics%20are%20in%20place%20then%20we%20can%20check%20event%20viewer%20logs.%3C%2FP%3E%3CP%3ESpecifically%2C%20please%20check%20BitLocker%20API%20Event%20viewer%20logs%20to%20find%20if%20the%20initiated%20the%20enforcement%20or%20not.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jan 22 2019 09:20 AM
Updated by: