cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Setting 256-bit encryption for BitLocker during Autopilot with the Windows 10 October 2018 Update
By
Intune_Support_Team
Published Jan 22 2019 09:20 AM 25.2K Views
Intune_Support_Team
Microsoft
‎Jan 22 2019 09:20 AM

Setting 256-bit encryption for BitLocker during Autopilot with the Windows 10 October 2018 Update

‎Jan 22 2019 09:20 AM

By Matt Shadbolt | Intune Sr. Program Manager

 

Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices, October 2018 update.

 

One such setting allows the IT Administrator to set the BitLocker encryption algorithm. The BitLocker encryption algorithm is used when BitLocker is first enabled and sets the strength to which full volume encryption should occur. An IT Administrator can set this algorithm to AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption.

 

By default, Windows 10 will encrypt a drive with XTS-AES 128-bit encryption. Encryption can be enabled on unencrypted Windows 10 PCs using MDM policy, such as when the device becomes Azure AD Joined (AADJ).

 

When a Windows 10 device runs through the Out Of Box Experience (OOBE), and an AADJ occurs during OOBE, BitLocker may be automatically enabled on modern hardware with the default XTS-128-bit encryption algorithm before the Intune MDM policy is processed and the IT administrator’s configuration is applied.

 

This causes a situation whereby the BitLocker disk encryption does not meet the IT administrator’s defined requirements in Intune.

 

bitlocker_blogpost.png

 

Microsoft Intune recently made some UI changes to call out that these settings only apply at first encryption. To help improve this experience, we made some changes to the Windows Autopilot build process that enables Windows to consume the IT administrator’s MDM settings before automatic encryption is started.

 

From Windows 10 October 2018 Update, the BitLocker encryption algorithm can be changed during an Autopilot build. To achieve this, you need to configure the following:

  1. Configure the encryption method settings in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
  2. Target the encryption method policy to your Autopilot group of devices. This is required as the policy needs to be processed as a device targeted policy, not a user targeted policy.
  3. Enable the Autopilot Enrollment Status Page (ESP) for your users/devices. This is required because if the ESP is not enabled, the policy will not apply before encryption starts.

By meeting these three configuration requirements, your Autopilot configured devices will now honor the BitLocker encryption algorithm setting and will encrypt with your specified encryption algorithm.

 

Let us know if you have any questions on this expanded feature set. 

19 Comments
Version history
Last update:
‎Dec 19 2023 01:20 PM
Updated by:
Labels