This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 80%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Team,
we are moving from MBAM to Bitlocker MGMT policy. we have 2000 production win 10 laptops already MBAM encryption with AES 256 (GPO).
Need recommendation or best practice to move the Win10 machines to XTS-AES 256. Please help
Hi,
Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. So we need to decrypt laptops, change encryption method, then encrypt again.
If BitLocker MGMT policy means using Configuration Manager to deploy BitLocker, please see Deploy BitLocker management.
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
You mean to say, the machines which are already encrypted with AES 256 (MBAM - GPO), once they migrated to SCCM BitLocker policy that has XTS-AES 256, will those machines show as non compliant ?
So you recommend us to decrypt and encrypt the disk?
Hi,
I'd like to confirm that AES 256 is AES-CBC 256 and we are going to change it to XTS-AES 256.
I'm unfamiliar with SCCM but from BitLocker side if the drive is already encrypted, the encryption method won't be changed. I think the configured policy in SCCM couldn't take effect. Maybe machines will show as non-compliant.
I recommend that we migrate a few machines to SCCM. If the encryption method doesn't change as expected or there are other errors, we need to decrypt and encrypt with XTS-AES 256.