Standardize bit-locker encryption method.
Question
Hi Experts ,
We are using classic MBAM and we want to move SCCM based BitLocker solution, but before doing that steps we need to standardize the encryption method in all machine to XTS-AES-256-bit.
Currently in our environment machines are having different different encryption method .
Can anyone guide me for the steps for standardizing the encryption method in all machine to XTS-AES-256-bit on all machines ?
Do we need to stop the encryption on all machines and need to change registry to 7 ? But till the time machines gets new policy we are keeping machines decrypted….
Answers ( 3 )
Are you trying to move away from a non Microsoft enchryption product to Microsoft’s product ? Or are you planning to do this within Microsoft products like MBAM itself?
I don’t know how this is handled in SCCM integrated MBAM … have you tried to deploy the new policy to one of the test devices?
As per the documentation I read … there is no straight forward way to do this apart from going through
Decryption
Encryption method again
https://www.howtogeek.com/193649/how-to-make-bitlocker-use-256-bit-aes-encryption-instead-of-128-bit-aes/
If you are looking a scripted method you can try that using https://garytown.com/enable-bitlocker-xts-256-during-osd-w-mbam-2-5-sp1
Yes i reviewed that , with that URL only i created a plan to upgrade MBAM to SCCM client.
But what’s are the recommended ways to change encryption method is not mentioned or what preventive measure we need to take while changing encryption on existing production measures.
Have you checked the comprehensive guide from Windows-Noob
It might surely help you !
https://www.windows-noob.com/forums/topic/16726-on-premises-bitlocker-management-using-system-center-configuration-manager/