Some days ago, I’ve written a post where I explained how to silent enable BitLocker via Microsoft Endpoint Manager (click here to read my guide). Today I want to explain you how to handle a situation where your machines are BitLocker encrypted yet (manual, by users, by other management tools, by OEM…) or you want simply change encryption settings (if these machines are managed by MEM yet).
In the case that machines are encrypted without MEM and assuming that these machines are Hybrid Joined or AD joined with Intune as MDM authority, we can simply deploy a script to decrypt these machines.
We can create a .ps1 file and then deploy via MEM Scripts deployment function.
The script is really simple but really effective:
$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint $BLV
With this command we retrieve all Volumes encrypted by BitLocker on the machine and then we instruct clients to decrypt all of these.
After we have prepared the .ps1 file, we can go to our MEM console. In the Home Page, click on “Devices”, as shown below.
Now we are in “Devices”: click on “Scripts”.
In “Scripts” section, click the “Add” button.
Let’s compile name mandatory filed the name and, if you want, also the description and then click next.
With Scripts creation in general, my advice is to write in the description field the Scripts that you are deploying. Unluckily, at this moment, when we upload a Script (in the next page) we don’t have a way to download or view this. It could be a little difficult to understand what we have deployed after some time.
Ok, now upload the .ps1 file that you have created, based on the Scripts a few lines above and then click next.
Now, select a group of machines where to deploy decryption script and then click next.
Finally we are in the review page. Double check your deployment and then click the “Add” button.
That’s All! Now you can monitor script deployment through “Scripts” page. In the overview, you can monitor the distribution progress.
But, what happens on clients after script deployment? Simply launch this command via CMD:
In the image below, you can see a Volume before Script deployment (Fully Encrypted) and after Script deployment (Fully Decrypted).
Here we have seen a situation where BitLocker is not managed by MEM. But what can we do when is managed by MEM yet? This could be a case where we want to remove definitively BitLocker encryption from machines or we want to modify BitLocker encryption method.
As we have said here, modifying an existent policy cause no effects on machine; same problem when we remove policy.
In the image below, I’m showing the case when there is an applied BitLocker policy
…And then we remove MEM policy: no longer BitLocker on the list!
But… BitLocker encryption is still here, up and running!
And this is the reason for why I wrote this post, on how to remove BitLocker without end-user intervention, helping some of you that is facing my same issue. Have Fun!