Merged PR 13833: Update bitlocker / Autopilot info

Some edits and additions
2025-06-16 10:53:43 +00:00 · 2019-01-17 18:29:44 +00:00
parent 13f3f89c03
commit f92bbff5ee
3 changed files with 17 additions and 12 deletions
--- a/windows/deployment/windows-autopilot/bitlocker.md
+++ b/windows/deployment/windows-autopilot/bitlocker.md
@ -18,23 +18,28 @@ With Windows Autopilot, you can configure the BitLocker encryption settings to b

 The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.

-An example of encryption settings is shown below.
-
-   ![BitLocker encryption settings](images/bitlocker-encryption.png)
-
-Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.
-
 To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:

 1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
 2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. 
    - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. This is a critical step because if the ESP is not enabled, the policy will not apply when the device boots.
- 
+3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
+    - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
+An example of Microsoft Intune Windows Encryption settings is shown below.
+
+   ![BitLocker encryption settings](images/bitlocker-encryption.png)
+
+Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.
+
+The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable.
+
+Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**.
+
 ## Requirements

 Windows 10, version 1809 or later.

 ## See also

-[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview)
+[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview)
--- a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png
+++ b/windows/deployment/windows-autopilot/images/bitlocker-encryption.png