Microsoft Technical Takeoff
Nov 27 2023 07:00 AM - Nov 30 2023 11:30 AM (PST)
Microsoft Tech Community

Bitlocker encryption

Copper Contributor

We have enabled Bitlocker using Intune and used AES 256bit XTS. But when we run manage-bde -status it says the encryption method is XTS-AES 128. 

Any suggestions on this?

Is it a potential Bug or Am i missing something on my end?


17 Replies

@Kashish_Goyal this device was encrypted before with BitLocker prior applying the new settings?

You have to decrypt before you can switch to a higher encryption method.
Any update?
Hi Harm, Sorry for the delayed response. We encrypted the devices straight with AES 256bit XTS and never used 128 XTS.
This was done using Endpoint Manager.
Devices managed by Intune says 128Bit.
Devices not managed by Intune says 256bit.
best response confirmed by Kashish_Goyal (Copper Contributor)
Ok, but if you want the intune clients to also have 256Bit... Then you will have to decrypt them and encrypt them again to fix that
Thanks Harm... Do you have like a documentation or procedure to decrypt Bitlocker. I have done some research, could not get to a point.


@Kashish_Goyal The Easiest to decrypt a 128Bit drive is to push out a script like this:

$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint $BLV

This decrypts your Bitlocker volume, push this out to a group of computers. But... Exclude that group of computers of Configuration Profiles for encryption and Compliance things because that group won't be compliant anymore. After decryption, you can remove the computer from the group so that it receives the settings again and can be compliant again.

Need more detail. Do these devices support automatic encryption?
Certainly, the devices support automatic encryption.
Did the decryption work out for you?
Hi Harm, I have done some testing today and it seems to be working like a charm.
Thanks so much for your help.

Also, do have any recommendations around setting up Startup PIN using Intune. I have research around bit using admin templates. But then we have to set the PIN using elevated command prompt. This is what I have come around, do you have any other suggestions around it?


@Kashish_Goyal Great to hear that it works for you, haven't had customers yet where I did the startup pin. I suggest opening a new topic about this here, enough knowledge here to help you with that :)


Thanks for your help.
Have a good one
Hi Harm,
As per my reply earlier, Manual Decryption was working well on machines. However, if I run the script from Intune, it gets failed each time. The script needs needs to be run with elevated privileges and Intune does that any way. In the logs it says Access Denied. Any ideas around it?

You could use logging to see what's happening :

Start-Transcript c:\Windows\Temp\decrypt.log
$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint

Deploy that to a computer and check the log afterwards. You're running it as System and not as the logged in user?
Hi Harm, Is there a way that we can check the encryption method on all devices (nearly 300) devices maybe using a PowerShell script?
A bit like this I assume.. from there on after you altered it you could change it do "fix"/remediate it