I am building Surface Pro 4 machines for a business. Load the corporate image of Windows 10 Enterprise on the SP4. Image loads fine. Operating System looks fine. Run Windows Update. Updates install and system looks stable. Run "manage-bde -status" at a Command Prompt and it says "Used Space Only Encrypted" and "AES 128". This is before I add the machine to the domain. They are deploying Bitlocker to their machines with Active Directory Group Policy and MBAM. Their requirement for Bitlocker is 256 AES which is set with the Group Policy which works fine with all hardware except the Surface Pro. I understand that somehow encryption is enabled in the hardware. However the service desk has to decrypt every Surface Pro, add it to the domain, and then force the machine to encrypt to 256 AES which is their default. How can I turn off the default Bitlocker encryption on the Surface Pro 4 (or 3) and allow it to get its settings from GPO and encrypt to 256 AES? Please be as detailed as you care to. Thank you.