When you are AzureAD joining a Windows 10 device that are Hardware Security Test Interface (HSTI) also known a InstanceGo the device will automatic be Bitlocker encrypted with XTS-AES 128

Autopilot - bitlocker - 128

With Windows 10 1809 you can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins with the Autopilot service and Microsoft Intune so you for example can use XTS-AES 256.


  • The device in the Windows Autopilot service and assigned a Autopilot profile
  • HSTI device
  • AzureAD P1 license
  • Microsoft Intune license
  • Intune status enrollment page

How to configure it:

First start the Microsoft 365 Device Management portal

Create a device configuration profile

  1. Click Device Configuration
  2. Click Profiles
  3. Click Create profile

Autopilot - bitlocker - 256 - 01

  1. Enter a Name : Autopilot Bitlocker profil
  2. Select platform : Windows 10 and later
  3. Select Profile type : Endpoint protection
  4. Select : Configure and Windows Encryption
  5. Set Configure encryption methods : Enable
  6. Set Encryption for operating system drives : XTS-AES 256-bit
  7. Set Encryption for fixed data-drives : XTS-AES 256-bit
  8. Set Encryption for removable data-drives : XTS-AES 256-bit

Autopilot - bitlocker - 256 - 02

Then you just need to assigned it to your Autopilot device group you want to target with the new BitLocker encryption methods

Autopilot - bitlocker - 256 - Assignment01 Check out my earlier blogpost on Autopilot groups

How does it look like from the device side

When you are running the “manage-bde -status” command you can see that after the device is enrolled into AzureAD with Autopilot the BitLocker Encryption Method is XTS-AES 256

Bitlocker 256 bit

Happy testing 🙂

Read more:
What’s new in Windows 10, version 1809 for IT Pros