XTS-AES 256 vS AES256

Question

XTS-AES 256 vS AES256

Santhosh B S 126

Team,
we are moving from MBAM to Bitlocker MGMT policy. we have 2000 production win 10 laptops already MBAM encryption with AES 256 (GPO).
Need recommendation or best practice to move the Win10 machines to XTS-AES 256. Please help

0 comments

1 answer

Your answer

Answer 1

AliceYang-MSFT 2,111

Hi,

Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. So we need to decrypt laptops, change encryption method, then encrypt again.

If BitLocker MGMT policy means using Configuration Manager to deploy BitLocker, please see Deploy BitLocker management.

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Santhosh B S 126 Reputation points

2021-03-10T08:13:35.103+00:00

You mean to say, the machines which are already encrypted with AES 256 (MBAM - GPO), once they migrated to SCCM BitLocker policy that has XTS-AES 256, will those machines show as non compliant ?

So you recommend us to decrypt and encrypt the disk?
AliceYang-MSFT 2,111 Reputation points

2021-03-10T09:52:23.75+00:00

Hi,

I'd like to confirm that AES 256 is AES-CBC 256 and we are going to change it to XTS-AES 256.

I'm unfamiliar with SCCM but from BitLocker side if the drive is already encrypted, the encryption method won't be changed. I think the configured policy in SCCM couldn't take effect. Maybe machines will show as non-compliant.

I recommend that we migrate a few machines to SCCM. If the encryption method doesn't change as expected or there are other errors, we need to decrypt and encrypt with XTS-AES 256.

Share via

XTS-AES 256 vS AES256

1 answer

Your answer