BitLocker Volumes Decryption via Microsoft Endpoint Manager

Some days ago, I’ve written a post where I explained how to silent enable BitLocker via Microsoft Endpoint Manager (click here to read my guide). Today I want to explain you how to handle a situation where your machines are BitLocker encrypted yet (manual, by users, by other management tools, by OEM…) or you want simply change encryption settings (if these machines are managed by MEM yet).
Let’s start!

In the case that machines are encrypted without MEM and assuming that these machines are Hybrid Joined or AD joined with Intune as MDM authority, we can simply deploy a script to decrypt these machines.
We can create a .ps1 file and then deploy via MEM Scripts deployment function.
The script is really simple but really effective:

$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint $BLV

With this command we retrieve all Volumes encrypted by BitLocker on the machine and then we instruct clients to decrypt all of these.

After we have prepared the .ps1 file, we can go to our MEM console. In the Home Page, click on “Devices”, as shown below.

Microsoft Endpoint Manager – Home Page

Now we are in “Devices”: click on “Scripts”.

Microsoft Endpoint Manager – Devices | Overview

In “Scripts” section, click the “Add” button.

Microsoft Endpoint Manager – Devices | Scripts

Let’s compile name mandatory filed the name and, if you want, also the description and then click next.
With Scripts creation in general, my advice is to write in the description field the Scripts that you are deploying. Unluckily, at this moment, when we upload a Script (in the next page) we don’t have a way to download or view this. It could be a little difficult to understand what we have deployed after some time.

Microsoft Endpoint Manager – PowerShell Scripts, “Basics” page

Ok, now upload the .ps1 file that you have created, based on the Scripts a few lines above and then click next.

Microsoft Endpoint Manager – PowerShell Scripts, “Script Settings” page

Now, select a group of machines where to deploy decryption script and then click next.

Microsoft Endpoint Manager – PowerShell Scripts, “Assignments” page

Finally we are in the review page. Double check your deployment and then click the “Add” button.

Microsoft Endpoint Manager – PowerShell Scripts, “Review + Add” page

That’s All! Now you can monitor script deployment through “Scripts” page. In the overview, you can monitor the distribution progress.

Microsoft Endpoint Manager – Script Deployment, Overview Page

But, what happens on clients after script deployment? Simply launch this command via CMD:

manage-bde -status

In the image below, you can see a Volume before Script deployment (Fully Encrypted) and after Script deployment (Fully Decrypted).

CMD – “manage-bde -status” command

Here we have seen a situation where BitLocker is not managed by MEM. But what can we do when is managed by MEM yet? This could be a case where we want to remove definitively BitLocker encryption from machines or we want to modify BitLocker encryption method.
As we have said here, modifying an existent policy cause no effects on machine; same problem when we remove policy.
In the image below, I’m showing the case when there is an applied BitLocker policy

Windows 10 Settings>Account>Access Work or School>Select info on the desired Account.

…And then we remove MEM policy: no longer BitLocker on the list!

Windows 10 Settings>Account>Access Work or School>Select info on the desired Account.

But… BitLocker encryption is still here, up and running!
And this is the reason for why I wrote this post, on how to remove BitLocker without end-user intervention, helping some of you that is facing my same issue. Have Fun!

Michele

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s