Hello @Redistro !
Welcome to Microsoft QnA !
To implement the new disk encryption policy on machines that are already encrypted with basic BitLocker encryption, you will need to decrypt the machines and then re-encrypt them with the new policy. Here are the steps you can follow:
Backup the data on the encrypted machines: Before you begin, it's important to backup any important data on the encrypted machines, as decrypting and re-encrypting the disks will wipe all data on the disks.
Decrypt the disks: To decrypt the disks, you can use the Disable-BitLocker PowerShell cmdlet. Run this cmdlet on each machine that you want to decrypt:
mathematica
Disable-BitLocker -MountPoint C:
Note that you may need to change the MountPoint parameter to match the drive letter of the disk you want to decrypt.
Apply the new disk encryption policy: After the disks have been decrypted, you can apply the new disk encryption policy by pushing it from Intune or any other device management tool you are using.
Re-encrypt the disks: To re-encrypt the disks, you can use the Enable-BitLocker PowerShell cmdlet. Run this cmdlet on each machine that you want to re-encrypt:
mathematica
Enable-BitLocker -MountPoint C: -RecoveryPasswordProtector -UsedSpaceOnly
Note that you may need to change the MountPoint parameter to match the drive letter of the disk you want to re-encrypt. The -RecoveryPasswordProtector parameter specifies that the BitLocker recovery password should be used to unlock the disk, and the -UsedSpaceOnly parameter specifies that only used disk space should be encrypted to reduce the time required for encryption.
Verify the new encryption: After the disks have been re-encrypted, you can verify that the new encryption policy has been applied by checking the BitLocker settings on each machine.
Kindly mark this answer as Accepted in case it helped or post your feedback !
Regards