Blog Post

Intune Customer Success
2 MIN READ

Support Tip: Steps to Decrypt and Reencrypt a BitLockered Device & Intune

Intune_Support_Team's avatar
Oct 30, 2018

First published on TechNet on Aug 18, 2017
In this post, we're sharing where to find a list of BitLockered devices in the Intune console and pulling together two different ways to decrypt and reencrypt a BitLockered device.

First off, to find which devices are BitLockered in console, just go to Device configuration-Profiles, select your Endpoint protection profile, then in the blade that extends out, select device status and you can see deployment status of the devices. You can read more about configuring Windows 10 endpoint protection in the documentation here: https://docs.microsoft.com/intune/endpoint-protection-windows-10 .

Now, for those devices that you are going to decrypt and reencrypt, you'll want to make sure that you or your end user can provide administrative credentials to take the following steps. In addition, the drive must be BitLocker-protected.

    • On the BitLockered device, Click Windows Start , click Control Panel , click System and Security , and then click BitLocker Drive Encryption . Click the Turn off BitLocker .

 

 

    • After sync, your end user will receive a notification to encrypt provided you’ve set the “Require bitlocker” setting as shown in the Intune on Azure console in the screen shot below (credit to Courtenay Bernier ’s detailed blog on BitLocker for this screen shot).

 





Let us know if you have any questions on this Support Tip!

Updated Oct 30, 2018
Version 5.0
  • symm_adrian's avatar
    symm_adrian
    Brass Contributor

    Seems like a bit of an oversight here. I'm not sure if there's any updated documentation but a number of Surface Pro tablets or even Dell Latitude tablets come encrypted already (from my observations, usually Used-Space Only and AES128). Since the majority of organizations don't allow users to have administrative rights, it would make more sense for Intune to handle the decryption as a system account or another way that doesn't require administrative credentials. Also, it sounds like if the Intune BitLocker policy detects a lower level of decryption, it simply does nothing. What I'd ultimately like to see is the following --

    • Intune BitLocker Policy is applied
    • Policy sees device is currently encrypted. 
    • Check - Higher level of encryption? Decision -> either decrypt and encrypt with what is defined in policy
    • Check - Lower level of encryption? Decrypt the machine and encrypt with what is defined in polic

    Maybe I just missed it in the documentation but I've waited at least two days for BitLocker to kick in and enforce Full Disk Encryption with XTS-AES256 over simply AES256 and Used-Space Only.