cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

Rheinrich21
Copper Contributor

‎Jan 20 2022 08:25 AM

‎Jan 20 2022 08:25 AM

Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

Hi we are leveraging a config profile to encrypt our computers after Autopilot Enrollment.
XTS-AES 256-bit used space only. The issue that we are seeing is that some of our PCs encrypt with 128 only. They all have proper BIOS settings and compatable TPM Modules. We wind up having to decrypt them and then let the Config Profile reapply the encryption and it always goes to 256 after that. It is like something is kicking off default Windows Encryption which is 128. Is there something we should be looking for? We have a case with Microsoft, but they did nto find anything. 

 

Also, after encryption we have to run a separate script to check for encryption and then prompt the user to set their TPM PIN. Are there any plans to support this in a Config profile in the future? We dont want to use Group Policy and MBAM.......we moved away from that.   

Rheinrich21_0-1642695536653.png

 

2,224 Views
0 Likes
9 Replies
Reply
9 Replies
Jason_Sandys

‎Jan 20 2022 08:32 AM

‎Jan 20 2022 08:32 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

How is this BitLocker configuration profile applied to the devices? Specifically, is it assigned to a group that the devices fall into before provisioning or after?
0 Likes
Reply
Steve Thomas (GLADIATOR)

‎Jan 20 2022 08:35 AM

‎Jan 20 2022 08:35 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

I would also verify that all the devices firmware is up to date. This Customer Success article may also be helpful in gathering additional data - especially if you open a support case, which is also recommended. https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-bitlocker...
0 Likes
Reply
Rheinrich21

‎Jan 20 2022 08:37 AM

‎Jan 20 2022 08:37 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

It is currently applied to all Users and then the Devices through two dynamic groups, one Dynamic Query by ZTID and the other by GroupTag.
0 Likes
Reply
Jason_Sandys

‎Jan 20 2022 08:48 AM

‎Jan 20 2022 08:48 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

User targeting is not sufficient here although your dynamic device group targeting should be.
Do you have the device ESP enabled?
In addition to the article linked to above by Steve, have you reviewed https://techcommunity.microsoft.com/t5/intune-customer-success/setting-256-bit-encryption-for-bitloc...?
0 Likes
Reply
Rheinrich21

‎Jan 20 2022 08:57 AM

‎Jan 20 2022 08:57 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

@Jason_Sandys yes the ESP is enabled 

Rheinrich21_0-1642697851186.png

 

0 Likes
Reply
Rheinrich21

‎Jan 20 2022 09:00 AM

‎Jan 20 2022 09:00 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

Thank you. I have read through this. The Hardware, OS 21H2, Firmware, TPM, and relevant BIOS settings are intact. We can decrypt the drive, then let the config profile kick in and it will Encrpyt properly. This mostly seems to happen when the device is Pre-Provisioned. We don't use any preprovisioning packages.
0 Likes
Reply
Jason_Sandys

‎Jan 20 2022 09:14 AM

‎Jan 20 2022 09:14 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

How is the device registered in Autopilot and how long are you waiting after it is registered to begin the Autopilot process?
0 Likes
Reply
Rheinrich21

‎Jan 20 2022 09:45 AM

‎Jan 20 2022 09:45 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

It is usally registered for a couple of daye. The deployment profile is assigned through the Dynamic groupa and Group Tag. We wait for the peofile to say assigned.
0 Likes
Reply
null null

‎Jan 20 2022 10:13 AM

‎Jan 20 2022 10:13 AM

Re: Bitlocker Encryption with AutoPilot Deployment (Non SCCM, Cloud ECM only)

@Rheinrich21 they probably came already encrypted or auto-encrypted (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn... by themself. Bitlocker will not change encryption just by config. You need a script that unencrypts and then encrypts with the correct config. 

0 Likes
Reply