cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Bitlocker encryption

Kashish_Goyal
Copper Contributor

‎Oct 09 2023 08:44 PM

‎Oct 09 2023 08:44 PM

Bitlocker encryption

Hi, 
We have enabled Bitlocker using Intune and used AES 256bit XTS. But when we run manage-bde -status it says the encryption method is XTS-AES 128. 

Any suggestions on this?

Is it a potential Bug or Am i missing something on my end?

Thanks

Labels:
1,237 Views
0 Likes
17 Replies
Reply
17 Replies
eliekarkafy

‎Oct 10 2023 12:25 AM

‎Oct 10 2023 12:25 AM

Re: Bitlocker encryption

@Kashish_Goyal this device was encrypted before with BitLocker prior applying the new settings?

1 Like
Reply
Harm_Veenstra

‎Oct 10 2023 02:48 AM

‎Oct 10 2023 02:48 AM

Re: Bitlocker encryption

You have to decrypt before you can switch to a higher encryption method.
1 Like
Reply
Harm_Veenstra

‎Oct 15 2023 04:11 AM

‎Oct 15 2023 04:11 AM

Re: Bitlocker encryption

Any update?
0 Likes
Reply
Kashish_Goyal

‎Oct 17 2023 03:18 PM

‎Oct 17 2023 03:18 PM

Re: Bitlocker encryption

Hi Harm, Sorry for the delayed response. We encrypted the devices straight with AES 256bit XTS and never used 128 XTS.
This was done using Endpoint Manager.
Devices managed by Intune says 128Bit.
Devices not managed by Intune says 256bit.
1 Like
Reply
best response confirmed by Kashish_Goyal (Copper Contributor)
Harm_Veenstra

‎Oct 17 2023 10:06 PM

‎Oct 17 2023 10:06 PM

Solution

Re: Bitlocker encryption

Ok, but if you want the intune clients to also have 256Bit... Then you will have to decrypt them and encrypt them again to fix that
0 Likes
Reply
Kashish_Goyal

‎Oct 17 2023 10:44 PM

‎Oct 17 2023 10:44 PM

Re: Bitlocker encryption

Thanks Harm... Do you have like a documentation or procedure to decrypt Bitlocker. I have done some research, could not get to a point.

Thanks
0 Likes
Reply
Harm_Veenstra

‎Oct 18 2023 04:25 AM

‎Oct 18 2023 04:25 AM

Re: Bitlocker encryption

@Kashish_Goyal The Easiest to decrypt a 128Bit drive is to push out a script like this:

$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint $BLV

This decrypts your Bitlocker volume, push this out to a group of computers. But... Exclude that group of computers of Configuration Profiles for encryption and Compliance things because that group won't be compliant anymore. After decryption, you can remove the computer from the group so that it receives the settings again and can be compliant again.

2 Likes
Reply
shockotechcom

‎Oct 18 2023 11:59 AM

‎Oct 18 2023 11:59 AM

Re: Bitlocker encryption

Need more detail. Do these devices support automatic encryption?
0 Likes
Reply
Kashish_Goyal

‎Oct 22 2023 04:32 PM

‎Oct 22 2023 04:32 PM

Re: Bitlocker encryption

Certainly, the devices support automatic encryption.
0 Likes
Reply
Harm_Veenstra

‎Oct 23 2023 01:59 AM

‎Oct 23 2023 01:59 AM

Re: Bitlocker encryption

Did the decryption work out for you?
0 Likes
Reply
Kashish_Goyal

‎Oct 23 2023 10:32 PM

‎Oct 23 2023 10:32 PM

Re: Bitlocker encryption

Hi Harm, I have done some testing today and it seems to be working like a charm.
Thanks so much for your help.

Also, do have any recommendations around setting up Startup PIN using Intune. I have research around bit using admin templates. But then we have to set the PIN using elevated command prompt. This is what I have come around, do you have any other suggestions around it?

Thanks
1 Like
Reply
Harm_Veenstra

‎Oct 23 2023 10:40 PM - edited ‎Oct 23 2023 10:42 PM

‎Oct 23 2023 10:40 PM - edited ‎Oct 23 2023 10:42 PM

Re: Bitlocker encryption

@Kashish_Goyal Great to hear that it works for you, haven't had customers yet where I did the startup pin. I suggest opening a new topic about this here, enough knowledge here to help you with that :)

 

0 Likes
Reply
Kashish_Goyal

‎Oct 23 2023 10:42 PM

‎Oct 23 2023 10:42 PM

Re: Bitlocker encryption

Thanks for your help.
Have a good one
1 Like
Reply
Kashish_Goyal

‎Nov 02 2023 08:14 PM

‎Nov 02 2023 08:14 PM

Re: Bitlocker encryption

Hi Harm,
As per my reply earlier, Manual Decryption was working well on machines. However, if I run the script from Intune, it gets failed each time. The script needs needs to be run with elevated privileges and Intune does that any way. In the logs it says Access Denied. Any ideas around it?

Thanks
0 Likes
Reply
Harm_Veenstra

‎Nov 02 2023 11:06 PM

‎Nov 02 2023 11:06 PM

Re: Bitlocker encryption

You could use logging to see what's happening :

Start-Transcript c:\Windows\Temp\decrypt.log
$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint
Stop-Transcript

Deploy that to a computer and check the log afterwards. You're running it as System and not as the logged in user?
0 Likes
Reply
Kashish_Goyal

‎Nov 05 2023 05:29 PM

‎Nov 05 2023 05:29 PM

Re: Bitlocker encryption

Hi Harm, Is there a way that we can check the encryption method on all devices (nearly 300) devices maybe using a PowerShell script?
Thanks
0 Likes
Reply
Rudy_Ooms_MVP

‎Nov 05 2023 09:54 PM

‎Nov 05 2023 09:54 PM

Re: Bitlocker encryption

A bit like this I assume.. from there on after you altered it you could change it do "fix"/remediate it

https://call4cloud.nl/2021/05/the-texas-chain-saw-bitlocker-remediations/#part4
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Kashish_Goyal (Copper Contributor)
Harm_Veenstra

‎Oct 17 2023 10:06 PM

‎Oct 17 2023 10:06 PM

Solution

Re: Bitlocker encryption

Ok, but if you want the intune clients to also have 256Bit... Then you will have to decrypt them and encrypt them again to fix that

View solution in original post

0 Likes
Reply