Nov 26 2018 08:10 AM
According to the What's new in Windows 10 1809 the following functionality is available.
You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins.
For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
BitLocker encryption with AES-256 is a security requirement for one of the organizations that I consult for, so I was interested in getting this to work.
Several months of experiments, a Microsoft Premier Support call and a Per Larson blog post later I have finally managed to get BitLocker policies to apply correctly during AutoPilot OOBE.
Here is the recipe that you need to get bitLocker CSP Policy to apply on Windows 10 1809.
The following caveats apply
I have attached the settings that I used to successfully encrypt devices but other settings may work.
The key settings is Encrypt Device: Not Configured. I started experimenting with the BitLocker settings in August using Insider preview versions of Windows 10 1809 but my experiments were unsuccessful because I set the Encrypt Device setting to Required. It was only when I saw Per Larson's Blog post that I realized that the BitLocker settings for AutoPilot devices need to be different from regular devices. Microsoft Support were unable to clarify why the setting Encrypt Device setting to Required broke the policy.
One important consideration is that if you apply this policy to all devices, and some devices do not auto-encrypt then you will have un-encrypted devices floating around. You can tackle this with Compliance Policy but the end users do not get a great user experience. I am handling un-encrypted devices with a combination of a deploy script that checks whether enables encryption manually if necessary and a Compliance policy.
Dec 01 2018 05:16 AM - edited Dec 01 2018 05:17 AM
The automatic Bitlocker encryption under a standard user account doesn't seem to work for Windows 10 Pro. The AllowWarningForOtherDiskEncryption policy is not supported by Windows 10 Pro: https://docs.microsoft.com/nl-nl/windows/client-management/mdm/bitlocker-csp
(even though the AllowStandardUserEncryption is supported by Windows 10 Pro)
Dec 02 2018 11:56 PM
My testing was on windows 10 Enterprise. In my experience Windows 10 Enterprise is a requirement for Intune managed Windows 10 because key security settings are enterprise edition only.
Have you tried applying the standard user encryption setting as a Custom policy?
Jan 03 2019 05:28 AM
With the "Windows 10 OOBE Status page" you mean the Enrollment Page?
Apr 10 2019 12:33 PM
@Andrew Matthews Is there a way to convert 1803 Win10 Pro/Ent computers from AES128 to AES256?
Apr 10 2019 12:45 PM
@AliGomaaYes - but it's a custom PowerShell script.
You have to decrypt the drive then re-encrypt. A number of the blogs have posted sample scripts to resolve this problem.
FYI - I did a new deployment of BitLocker on Windows 1809 and the AES256 policy settings were respected during AutoPilot.
@AliGomaa wrote:@Andrew Matthews Is there a way to convert 1803 Win10 Pro/Ent computers from AES128 to AES256?
Apr 10 2019 03:12 PM
Sep 20 2019 12:54 AM
Hello,
Could someone confirm is this still the same with Windows 10 1903 that Encrypt Device should be Not Configured ? this is very confusing set to define right Bitlocker settings with Intune...