deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/deployment/windows-autopilot/bitlocker.md
Greg Lindsay b86583031d Merged PR 13811: Added bitlocker info to Autopilot 
Added info about BitLocker encryption
2019-01-16 00:47:58 +00:00

2.6 KiB
Raw Blame History

title, description, keywords, ms.prod, ms.technology, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author
title description keywords ms.prod ms.technology ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority author ms.author
Setting the BitLocker encryption algorithm for Autopilot devices Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices. Autopilot, BitLocker, encryption, 256-bit, Windows 10 w10 Windows deploy library deploy medium greg-lindsay greg-lindsay

Setting the BitLocker encryption algorithm for Autopilot devices

With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins.

The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See BitLocker CSP for information about the recommended encryption algorithms to use.

An example of encryption settings is shown below.

BitLocker encryption settings

Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.

To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:

  1. Configure the encryption method settings in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
  2. Assign the policy to your Autopilot device group.
    • IMPORTANT: The encryption policy must be assigned to devices in the group, not users.
  3. Enable the Autopilot Enrollment Status Page (ESP) for these devices. This is a critical step because if the ESP is not enabled, the policy will not apply when the device boots.

Requirements

Windows 10, version 1809 or later.

See also

Bitlocker overview