Forum Discussion
Kashish_Goyal
Oct 10, 2023Copper Contributor
Bitlocker encryption
Hi, We have enabled Bitlocker using Intune and used AES 256bit XTS. But when we run manage-bde -status it says the encryption method is XTS-AES 128. Any suggestions on this? Is it a potential Bu...
- Oct 18, 2023Ok, but if you want the intune clients to also have 256Bit... Then you will have to decrypt them and encrypt them again to fix that
Kashish_Goyal
Oct 17, 2023Copper Contributor
Hi Harm, Sorry for the delayed response. We encrypted the devices straight with AES 256bit XTS and never used 128 XTS.
This was done using Endpoint Manager.
Devices managed by Intune says 128Bit.
Devices not managed by Intune says 256bit.
This was done using Endpoint Manager.
Devices managed by Intune says 128Bit.
Devices not managed by Intune says 256bit.
Oct 18, 2023
Ok, but if you want the intune clients to also have 256Bit... Then you will have to decrypt them and encrypt them again to fix that
- Kashish_GoyalOct 18, 2023Copper ContributorThanks Harm... Do you have like a documentation or procedure to decrypt Bitlocker. I have done some research, could not get to a point.
Thanks- Oct 23, 2023Did the decryption work out for you?
- Kashish_GoyalNov 03, 2023Copper ContributorHi Harm,
As per my reply earlier, Manual Decryption was working well on machines. However, if I run the script from Intune, it gets failed each time. The script needs needs to be run with elevated privileges and Intune does that any way. In the logs it says Access Denied. Any ideas around it?
Thanks
- Oct 18, 2023
Kashish_Goyal The Easiest to decrypt a 128Bit drive is to push out a script like this:
$BLV = Get-BitLockerVolume Disable-BitLocker -MountPoint $BLV
This decrypts your Bitlocker volume, push this out to a group of computers. But... Exclude that group of computers of Configuration Profiles for encryption and Compliance things because that group won't be compliant anymore. After decryption, you can remove the computer from the group so that it receives the settings again and can be compliant again.