question

SanthoshBasavarajappa-0776 avatar image
0 Votes"
SanthoshBasavarajappa-0776 asked ·

XTS-AES 256 vS AES256

Team,
we are moving from MBAM to Bitlocker MGMT policy. we have 2000 production win 10 laptops already MBAM encryption with AES 256 (GPO).
Need recommendation or best practice to move the Win10 machines to XTS-AES 256. Please help

windows-10-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AliceYang-MSFT avatar image
0 Votes"
AliceYang-MSFT answered ·

Hi,

Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. So we need to decrypt laptops, change encryption method, then encrypt again.

If BitLocker MGMT policy means using Configuration Manager to deploy BitLocker, please see Deploy BitLocker management.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You mean to say, the machines which are already encrypted with AES 256 (MBAM - GPO), once they migrated to SCCM BitLocker policy that has XTS-AES 256, will those machines show as non compliant ?

So you recommend us to decrypt and encrypt the disk?





0 Votes 0 ·
AliceYang-MSFT avatar image AliceYang-MSFT SanthoshBasavarajappa-0776 ·

Hi,

I'd like to confirm that AES 256 is AES-CBC 256 and we are going to change it to XTS-AES 256.

I'm unfamiliar with SCCM but from BitLocker side if the drive is already encrypted, the encryption method won't be changed. I think the configured policy in SCCM couldn't take effect. Maybe machines will show as non-compliant.

I recommend that we migrate a few machines to SCCM. If the encryption method doesn't change as expected or there are other errors, we need to decrypt and encrypt with XTS-AES 256.

0 Votes 0 ·