Remove BitLocker Encryption Using Platform Script

byinformation technology
0

➡️ Unenforcing BitLocker Encryption via Intune using  PowerShell platform Script⬅️
If you've previously deployed BitLocker policies using Microsoft Intune and now need to remove those encryption settings—including decrypting all BitLocker-enabled partitions—this guide and PowerShell script can help.

1.Identifies all BitLocker volumes on the system.
2. Disables Auto-Unlock for all non-OS drives.
3. Removes all additional BitLocker key protectors (PINs, passwords).
4. Decrypts all protected volumes.
.................................................................................................................








Step-by-Step: Upload Script to Microsoft Intune
Steps 1 :Go to Intune Admin Center 
 https://intune.microsoft.comb
Steps 2: 
Click device →then choose script remediation then click platform scripts 



Steps 3 : Under Platform scripts click add policy then click windows 10 and later  



Navigate to Devices  then go to script and remediation then select Platform script  



steps 4 : Type professional policy name you can easy  identify your BitLocker removal policy  


Steps 5 : Configure the script setting 
  • Click Browse and upload your Remove-BitLockerProtections.ps1 file.
  • Run this script using the logged on credentials: No (You need SYSTEM context for BitLocker actions)
  •  Enforce script signature check: No (unless you're signing your scripts)
  •  Run script in 64-bit PowerShell host: Yes


..................................................................................................................................................
⚠️ Powershell ⚠️
..................................................................................................................................................

# Get all BitLocker volumes
 $bitlockerVolumes = Get-BitLockerVolume
# Step 1: Disable Auto-Unlock on all non-OS volumes
 foreach ($volume in $bitlockerVolumes) {
 if ($volume.VolumeType -ne 'OperatingSystem') {
 Disable-BitLockerAutoUnlock -MountPoint $volume.MountPoint -ErrorAction SilentlyContinue
 }
 }
# Step 2: Remove all additional key protectors (e.g., PIN, Password)
 foreach ($volume in $bitlockerVolumes) {
 $protectors = Get-BitLockerKeyProtector -MountPoint $volume.MountPoint
 foreach ($protector in $protectors) {
 Remove-BitLockerKeyProtector -MountPoint $volume.MountPoint -KeyProtectorId $protector.KeyProtectorId -ErrorAction SilentlyContinue
 }
 }
# Step 3: Decrypt all BitLocker-enabled volumes
 foreach ($volume in $bitlockerVolumes) {
 if ($volume.ProtectionStatus -eq 'On') {
 Write-Output "Decrypting drive $($volume.MountPoint)..."
 Disable-BitLocker -MountPoint $volume.MountPoint
 } else {
 Write-Output "Drive $($volume.MountPoint) is already decrypted."
 }
 }
.........................................................................................................................................................

Steps 6 :Assign to the device group you want to target.


 Steps 7 :Click Next and Create.



Steps 8 :
After deploying the PowerShell script via Intune, you can monitor the decryption process on the client device by opening Command Prompt as an administrator and running the command manage-bde -status





You will be able to see that all drives are unencrypted on the device.







Tags:

Post a Comment

Previous Post Next Post