This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 0%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Machines in our environment have the basic bitlocker encryption which is auto turned on when you sign in with work/school account. I am in the process of pushing the desk encryption policy from Intune (Endpoint security -> Disk encryption -> Create Policy)and when deployed to test workstation that were already encrypted, it throws an error because the policy is not the same.
To resolve this, I have to decrypt the machines and then re encrypt with the new policy. What is the best way to go about this ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Redistro,Thanks for posting in Q&A. From your description, it seems the device turned on BitLocker when sign in your work account. Please check if other BitLocker policy has assigned to the user or device group. If yes, unassign the previous policy.
Then try to decrypt BitLocker Drive via one of the methods in the following link:
Note: Non-Microsoft link, just for the reference.
After that, apply the new BitLocker policy to the user or device group to make it work.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I tried to deploy this as a script in Intune to the test endpoint last week, it doesn't seem to work
@Redistro, Thanks for the reply. I notice you have deployed a script to decrypt BitLocker Drive. But it is not working.
To know it better, could you please collect the following information for us:
Please collect the above information and if there's any update, feel free to let us know.
The PowerShell script finally worked, I just needed to restart the workstation
@Redistro, Thanks for the update. I am glad to hear that the PowerShell script is working after restart. Congratulations! If there's anything else we can help in the future, feel free to post in our Q&A.
Thanks for your time and have a nice day!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Yes I have checked and no other policy have been applied and I believe the policy doesn't match since the default bitlocker encryption is XTS-AES 128-bits
Hello @Redistro !
Welcome to Microsoft QnA !
To implement the new disk encryption policy on machines that are already encrypted with basic BitLocker encryption, you will need to decrypt the machines and then re-encrypt them with the new policy. Here are the steps you can follow:
Backup the data on the encrypted machines: Before you begin, it's important to backup any important data on the encrypted machines, as decrypting and re-encrypting the disks will wipe all data on the disks.
Decrypt the disks: To decrypt the disks, you can use the Disable-BitLocker PowerShell cmdlet. Run this cmdlet on each machine that you want to decrypt:
mathematica
Disable-BitLocker -MountPoint C:
Note that you may need to change the MountPoint parameter to match the drive letter of the disk you want to decrypt.
Apply the new disk encryption policy: After the disks have been decrypted, you can apply the new disk encryption policy by pushing it from Intune or any other device management tool you are using.
Re-encrypt the disks: To re-encrypt the disks, you can use the Enable-BitLocker PowerShell cmdlet. Run this cmdlet on each machine that you want to re-encrypt:
mathematica
Enable-BitLocker -MountPoint C: -RecoveryPasswordProtector -UsedSpaceOnly
Note that you may need to change the MountPoint parameter to match the drive letter of the disk you want to re-encrypt. The -RecoveryPasswordProtector parameter specifies that the BitLocker recovery password should be used to unlock the disk, and the -UsedSpaceOnly parameter specifies that only used disk space should be encrypted to reduce the time required for encryption.
Verify the new encryption: After the disks have been re-encrypted, you can verify that the new encryption policy has been applied by checking the BitLocker settings on each machine.
Kindly mark this answer as Accepted in case it helped or post your feedback !
Regards