How to decrypt and reencrypt bitlocker on AAD machines

Redistro 186 Reputation points
2023-04-30T17:49:09.6666667+00:00

Machines in our environment have the basic bitlocker encryption which is auto turned on when you sign in with work/school account. I am in the process of pushing the desk encryption policy from Intune (Endpoint security -> Disk encryption -> Create Policy)and when deployed to test workstation that were already encrypted, it throws an error because the policy is not the same.

To resolve this, I have to decrypt the machines and then re encrypt with the new policy. What is the best way to go about this ?

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
367 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,602 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 45,251 Reputation points Microsoft Vendor
    2023-05-01T02:59:23.15+00:00

    @Redistro,Thanks for posting in Q&A. From your description, it seems the device turned on BitLocker when sign in your work account. Please check if other BitLocker policy has assigned to the user or device group. If yes, unassign the previous policy.

    Then try to decrypt BitLocker Drive via one of the methods in the following link:

    https://www.easyuefi.com/bitlocker-anywhere/resource/how-to-decrypt-bitlocker-encrypted-drive.html#:~:text=Decrypt%20BitLocker%20Drive%201%20Run%20Windows%20PowerShell%20as,to%20wait%20and%20don%E2%80%99t%20interrupt%20it.%20See%20More.

    Note: Non-Microsoft link, just for the reference.

    After that, apply the new BitLocker policy to the user or device group to make it work.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2 additional answers

Sort by: Most helpful
  1. risolis 8,701 Reputation points
    2023-04-30T23:45:53.3266667+00:00
    • Hello @Redistro
    • Thank you for posting this concern on this community.
    • I would like to know if you have checked the following important note down below:
    • User's image
    • Looking forward to hearing from you
    • Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-01T13:54:08.76+00:00

    Hello @Redistro !

    Welcome to Microsoft QnA !

    To implement the new disk encryption policy on machines that are already encrypted with basic BitLocker encryption, you will need to decrypt the machines and then re-encrypt them with the new policy. Here are the steps you can follow:

    Backup the data on the encrypted machines: Before you begin, it's important to backup any important data on the encrypted machines, as decrypting and re-encrypting the disks will wipe all data on the disks.
    
    Decrypt the disks: To decrypt the disks, you can use the Disable-BitLocker PowerShell cmdlet. Run this cmdlet on each machine that you want to decrypt:
    
    mathematica
    

    Disable-BitLocker -MountPoint C:

    Note that you may need to change the MountPoint parameter to match the drive letter of the disk you want to decrypt.

    Apply the new disk encryption policy: After the disks have been decrypted, you can apply the new disk encryption policy by pushing it from Intune or any other device management tool you are using.

    Re-encrypt the disks: To re-encrypt the disks, you can use the Enable-BitLocker PowerShell cmdlet. Run this cmdlet on each machine that you want to re-encrypt:

    mathematica

    Enable-BitLocker -MountPoint C: -RecoveryPasswordProtector -UsedSpaceOnly

    Note that you may need to change the MountPoint parameter to match the drive letter of the disk you want to re-encrypt. The -RecoveryPasswordProtector parameter specifies that the BitLocker recovery password should be used to unlock the disk, and the -UsedSpaceOnly parameter specifies that only used disk space should be encrypted to reduce the time required for encryption.

    Verify the new encryption: After the disks have been re-encrypted, you can verify that the new encryption policy has been applied by checking the BitLocker settings on each machine.

    Kindly mark this answer as Accepted in case it helped or post your feedback !

    Regards

    0 comments No comments