Merged PR 13833: Update bitlocker / Autopilot info

Some edits and additions
2025-05-28 13:17:23 +00:00 · 2019-01-17 18:29:44 +00:00 · 2019-01-17 18:29:44 +00:00 · f92bbff5ee
commit f92bbff5ee
parent 13f3f89c03
3 changed files with 17 additions and 12 deletions
--- a/windows/deployment/windows-autopilot/bitlocker.md
+++ b/windows/deployment/windows-autopilot/bitlocker.md
@ -18,23 +18,28 @@ With Windows Autopilot, you can configure the BitLocker encryption settings to b

 The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.

-An example of encryption settings is shown below.
-
-   ![BitLocker encryption settings](images/bitlocker-encryption.png)
-
-Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.
-
 To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:

 1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
 2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. 
    - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. This is a critical step because if the ESP is not enabled, the policy will not apply when the device boots.
- 
+3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
+    - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
+An example of Microsoft Intune Windows Encryption settings is shown below.
+
+   ![BitLocker encryption settings](images/bitlocker-encryption.png)
+
+Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.
+
+The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable.
+
+Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**.
+
 ## Requirements

 Windows 10, version 1809 or later.

 ## See also

-[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview)
+[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview)
--- a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png
+++ b/windows/deployment/windows-autopilot/images/bitlocker-encryption.png
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@ -65,7 +65,7 @@ This feature will soon be enabled on Olympia Corp as an optional feature.

 ####  Delivering BitLocker policy to AutoPilot devices during OOBE 

-You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins. 
+You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. 

 For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.

@ -74,8 +74,8 @@ To achieve this:
 1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
 2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. 
    - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
-1. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. This is also important because if the ESP is not enabled, the policy will not apply when the device boots.
-
+3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
+    - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.

 ### Windows Defender Application Guard Improvements