BitLocker- SCCM\MBAM - Some windows computers encrypting drives but not according to policy

Hi,

Thanks for posting in Microsoft MECM Q&A forum.

May we know if you have configured the policies through Local Group Policy Editor on the problematic computers or the Group Policy Management Console (GPMC) on your domain controllers? Please run the gpresult to check if there is something overwrote the policies.

Best regards,
Simon

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Are these newly deployed systems or existing systems?

I will look into verifying that there are no group policy settings as SimonRenMSFT-3639 suggested even though I know that there are not as our company has never before deployed BitLocker and I have previously worked on a project to consolidate redundant policies and settings. In regards to Jason-MSFT's question these are systems that have existed over a year period. Due to Covid we have not been deploying as systems recently.

I have validated that there are no BitLocker group policy settings applied to our Windows 10 computers. I found two Windows 10 1909 computers that encrypted their drives using "Used space only" opposed to encrypting the entire drive. These two endpoints had also encrypted the drives using XTS-AES 128. I decrypted the C: drive on each of these computers. When I checked back, I did not manually initiate the encryption process, they had encrypted the entire C: drives using AES 256. However they are still not compliant as the SCCM\MBAM policy specifies XTS-AES-256. Although it is possible that some of our users encrypted their computers on their own, before we deployed the policy, it is unlikely because there are too many of these to be coincidental.