In this post, we're sharing where to find a list of BitLockered devices in the Intune console and pulling together two different ways to decrypt and reencrypt a BitLockered device.
First off, to find which devices are BitLockered in console, just go to Device configuration-Profiles, select your Endpoint protection profile, then in the blade that extends out, select device status and you can see deployment status of the devices. You can read more about configuring Windows 10 endpoint protection in the documentation here: https://docs.microsoft.com/intune/endpoint-protection-windows-10.
Now, for those devices that you are going to decrypt and reencrypt, you'll want to make sure that you or your end user can provide administrative credentials to take the following steps. In addition, the drive must be BitLocker-protected.
- On the BitLockered device, Click Windows Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption. Click the Turn off BitLocker.
- Follow the steps here to sync your device to get the latest settings from Intune: https://docs.microsoft.com/en-us/intune-user-help/sync-your-device-manually-windows.
- After sync, your end user will receive a notification to encrypt provided you’ve set the “Require bitlocker” setting as shown in the Intune on Azure console in the screen shot below (credit to Courtenay Bernier’s detailed blog on BitLocker for this screen shot).
- Finally, if you prefer, you can also use PowerShell to disable BitLocker as shown in the steps here: https://technet.microsoft.com/itpro/powershell/windows/bitlocker/disable-bitlocker.
Let us know if you have any questions on this Support Tip!