This drove me nuts, as I used the exact same Task Sequence at another customer site and it encrypted spot on. But for some reason despite setting all the correct registry settings the script failed to encrypt at XTS-AES-256.
After a bit of digging I found the culprit. There are two variations of the “invoke-mbamclientdeployment.ps1” script–both with the exact same version number (2.5.1)!! One variation is only capable of encrypting up to AES256 encryption.
So be weary of which PS script you are running, make sure it supports XTS-AES-256 within the script–must have “XTSAES256=7” in the -encryptionmethod section.