First published on TechNet on Aug 18, 2017 In this post, we're sharing where to find a list of BitLockered devices in the Intune console and pulling together two different ways to decrypt and re...
Updated Oct 30, 2018
Version 5.0
Blog Post
2 MIN READ
Support Tip: Steps to Decrypt and Reencrypt a BitLockered Device & Intune
Seems like a bit of an oversight here. I'm not sure if there's any updated documentation but a number of Surface Pro tablets or even Dell Latitude tablets come encrypted already (from my observations, usually Used-Space Only and AES128). Since the majority of organizations don't allow users to have administrative rights, it would make more sense for Intune to handle the decryption as a system account or another way that doesn't require administrative credentials. Also, it sounds like if the Intune BitLocker policy detects a lower level of decryption, it simply does nothing. What I'd ultimately like to see is the following --
- Intune BitLocker Policy is applied
- Policy sees device is currently encrypted.
- Check - Higher level of encryption? Decision -> either decrypt and encrypt with what is defined in policy
- Check - Lower level of encryption? Decrypt the machine and encrypt with what is defined in polic
Maybe I just missed it in the documentation but I've waited at least two days for BitLocker to kick in and enforce Full Disk Encryption with XTS-AES256 over simply AES256 and Used-Space Only.