Forum Discussion
Solved
Bitlocker encryption
Hi, We have enabled Bitlocker using Intune and used AES 256bit XTS. But when we run manage-bde -status it says the encryption method is XTS-AES 128. Any suggestions on this? Is it a potential Bu...
- Ok, but if you want the intune clients to also have 256Bit... Then you will have to decrypt them and encrypt them again to fix that
Ok, but if you want the intune clients to also have 256Bit... Then you will have to decrypt them and encrypt them again to fix that
Thanks Harm... Do you have like a documentation or procedure to decrypt Bitlocker. I have done some research, could not get to a point.
Thanks
Thanks
- Did the decryption work out for you?
- Hi Harm,
As per my reply earlier, Manual Decryption was working well on machines. However, if I run the script from Intune, it gets failed each time. The script needs needs to be run with elevated privileges and Intune does that any way. In the logs it says Access Denied. Any ideas around it?
Thanks- You could use logging to see what's happening :
Start-Transcript c:\Windows\Temp\decrypt.log
$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint
Stop-Transcript
Deploy that to a computer and check the log afterwards. You're running it as System and not as the logged in user?
- Hi Harm, I have done some testing today and it seems to be working like a charm.
Thanks so much for your help.
Also, do have any recommendations around setting up Startup PIN using Intune. I have research around bit using admin templates. But then we have to set the PIN using elevated command prompt. This is what I have come around, do you have any other suggestions around it?
ThanksKashish_Goyal Great to hear that it works for you, haven't had customers yet where I did the startup pin. I suggest opening a new topic about this here, enough knowledge here to help you with that 🙂
Kashish_Goyal The Easiest to decrypt a 128Bit drive is to push out a script like this:
$BLV = Get-BitLockerVolume Disable-BitLocker -MountPoint $BLVThis decrypts your Bitlocker volume, push this out to a group of computers. But... Exclude that group of computers of Configuration Profiles for encryption and Compliance things because that group won't be compliant anymore. After decryption, you can remove the computer from the group so that it receives the settings again and can be compliant again.
