PowerShell script with MS Intune

grvranjan
Copper Contributor
Sep 17, 2021
Hi Rudy,
We need to decrypt the drives which are not encrypted with "XTS AES 256". With the above said, any drive encrypted with "XTS AES 128" will not decrypt but devices with rest of the algorithm get decrypted which is not the requirement.
If the device is encrypted with "XTS AES 256" do nothing else start decryption.
I also tried with the powershell logging, but nothing much there also.
Quite strange issue I found int he Bitlocker-API event logs.
Failed to enable Silent Encryption.

Error: This drive is not encrypted..
Event ID - 851.

If I run the command "manage-bde -on C: -rp -s" on the device, it starts the encryption without any issues, but the encryption is not getting started on its own. Last week it was working and we tested it on 8 devices but from this week, neither the script nor the silent encryption is working. Although we have not made any changes to the policies or Intune or the scripts.
- Rudy_Ooms_MVP
  MVP
  Sep 17, 2021
  Hi, i know thats why i was mentioning i changed it (for ourselves because i wanted to know if the scripted worked because the devices were already configured with that setting)
  - grvranjan
    Copper Contributor
    Sep 17, 2021
    Hi,
    I encrypted my device with "XTS AES 256", executed your script as said, still the same result.
    if ($algorithm -eq 'XTSAES128')
    {
    #Write-host "It's encrypted"
    }
    Else
    {
    Disable-BitLocker -MountPoint $env:SystemDrive
    }
    
    I encrypted my device with "XTS AES 128", Executed my script, still the same result.
    if ($algorithm -eq 'XTSAES256')
    {
    
    }
    Else
    {
    Disable-BitLocker -MountPoint $env:SystemDrive
    }
    
    Decryption has not started in both the cases.

Forum Discussion

Resources