Device Advice

Teaching you how to be a device management expert

Enable 256-bit BitLocker Full Disk Encryption during Autopilot

by · June 1, 2022

There are many moving pieces that can determine which BitLocker encryption method a device will end up using. Because of HSTI, most new devices these days have the capability to automatically encrypt once a user signs in during OOBE. This automatic encryption will use 128-bit used space only by default – even for AADJ or Enterprise devices. While certainly a great security feature to ensure devices are encrypted by default, it can be a bit tricky to change that encryption method to 256-bit full disk, if we have some rule requiring that. So in today’s post, we’ll be covering the settings I use to enable 256-bit full disk encryption on a Surface Go running Windows 11 during Autopilot.

Settings Catalog

Go to endpoint.microsoft.com > Devices > Configuration profiles > +Create profile to create a new Settings Catalog, or Edit an existing profile:

Configuration Profiles

Add in the Enforce drive encryption type on operating system drives setting, with Select the encryption type: (Device) set to Full encryption:

Settings catalog encryption setting

In your assignments, target the Settings Catalog profile to a devices group (for example, your Autopilot Dynamic Devices group):

Save that policy and we’re done with the settings catalog!

Endpoint Security – Disk Encryption

Go to endpoint.microsoft.com > Endpoint Security > Disk encryption > +Create policy to create a new disk encryption policy, or Edit an existing policy:

Disk encryption settings

Configure the following settings, which allow AES 256bit XTS & support silent encryption for standard users during Autopilot:

Base settings
Fixed drive settings
OS drive settings
Removeable drive settings

Perfect! And just like the settings catalog, this profile needs to be targeted to a devices group:

Assignemnts

And with that, we’re good to go!

End User Experience

During Autopilot, when a device hits the ESP (which is required for this to work), the Settings Catalog and Disk Encryption profiles will process during the Device setup portion:

Windows 11 ESP

This is crucial, because in Windows 10 1809, automatic encryption was delayed until after this step – meaning the device has the opportunity to consume the settings from MEM and apply the BitLocker encryption settings we want to use during Device setup.

When the device is finished with the rest of ESP, depending on how many apps have installed/the size of the disk, it may still be encrypting. Run manage-bde -status to check the status:

Full Encrypted – AES 256

Here we can confirm – it’s Fully Encrypted using XTS-AES 256! All without any user interaction, and during Autopilot. 🔐

Tags:

You may also like...

1 Response

  1. Diego says:
    February 23, 2024 at 8:51 am

    The experience is changed, and for me at least, now it’s less clear than ever.. did you plan to update the article?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *