When you are AzureAD joining a Windows 10 device that are Hardware Security Test Interface (HSTI) also known a InstanceGo the device will automatic be Bitlocker encrypted with XTS-AES 128
With Windows 10 1809 you can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins with the Autopilot service and Microsoft Intune so you for example can use XTS-AES 256.
Pre-requisitions:
- The device in the Windows Autopilot service and assigned a Autopilot profile
- HSTI device
- AzureAD P1 license
- Microsoft Intune license
- Intune status enrollment page
How to configure it:
First start the Microsoft 365 Device Management portal
Create a device configuration profile
- Click Device Configuration
- Click Profiles
- Click Create profile
- Enter a Name : Autopilot Bitlocker profil
- Select platform : Windows 10 and later
- Select Profile type : Endpoint protection
- Select : Configure and Windows Encryption
- Set Configure encryption methods : Enable
- Set Encryption for operating system drives : XTS-AES 256-bit
- Set Encryption for fixed data-drives : XTS-AES 256-bit
- Set Encryption for removable data-drives : XTS-AES 256-bit
Then you just need to assigned it to your Autopilot device group you want to target with the new BitLocker encryption methods
Check out my earlier blogpost on Autopilot groups
How does it look like from the device side
When you are running the “manage-bde -status” command you can see that after the device is enrolled into AzureAD with Autopilot the BitLocker Encryption Method is XTS-AES 256
Happy testing 🙂
Read more:
What’s new in Windows 10, version 1809 for IT Pros
Cloud First 
One more requirement: you have to enable the enrollment status page, to ensure that the BitLocker policy is processed before the end of machine OOBE when the encryption is started. (Sorry if this is a duplicate, WordPress didn’t appear to cooperate the first time.)
Thanks Michael – In my opinion the Intune status page must always be there when using Autopilot
Is there a rough edge since BL is also moved to “Endpoint protection”? The ESP seems to NOT recognize this kind of policy. This could result in starting encryption before the policy is applied.
It may could be a reason for the last comments here?!
This works as expected, tx for the information! However, on a non-HSTI device, bitlocker won’t start encrypting on Windows 1809. I’am not sure why, when we apply the same profiles and settings on a Windows 1803 device (non-HSTI), bitlocker starts encrypting when the device is Windows Autopilot enrolled. Do you have any idea what could be the cause of this behavior?
Have a look at Oliver’s post:
https://oliverkieselbach.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune/
Great Post. I’ve been trying to get this working since the summer. Your hint about the Encrypt device setting solved my BitLocker AES 256 issues.
Is it possible to get Intune to encrpyt as part of the whiteglove provisioning?
So far my testing has shown the device is still encrypting when the user logs in.
i have esp enabled but still default encrypted as 128
Same error here. With physical devices I get 128-bit and with a virtual machine it works fine 256-bit. Windows 10 1903 and Windows 10 1909.