2 Bitlocker Policies

Question

2 Bitlocker Policies

Vionne Joorst 0

Hi all

I have 2 active bitlocker policies

Is it possible to remove one policy without losing Encryption Keys?

0 comments

1 answer

Your answer

Answer 1

Marcin Policht 85,065 MVP Volunteer Moderator

Yep - you can remove one BitLocker policy without losing the encryption keys, as long as you do not decrypt the drive or explicitly clear the key protectors. BitLocker encryption keys are stored on the device (and often backed up to Entra ID, AD DS, or another key escrow) independently of the policy object that enforced encryption. Removing a policy only stops enforcement going forward; it does not automatically decrypt the drive or delete existing key protectors.

The main risk comes from how the policies differ. If the policy you remove contains requirements for specific key protectors (like TPM+PIN or recovery password) and the remaining policy does not enforce or allow those, some management platforms may try to remediate by changing protectors. That could result in regeneration or removal of certain protectors, but not loss of access to the encrypted data itself as long as at least one valid protector remains.

Before removing the policy, verify the current protectors on the device and ensure a recovery key is backed up. You can check with:

manage-bde -protectors -get C:

If you are using Intune or Group Policy, confirm that the remaining policy supports the existing configuration so no automatic remediation alters it unexpectedly. As long as encryption stays enabled and at least one valid key protector persists, your encrypted data and access to it remain intact.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Vionne Joorst 0 Reputation points

2026-04-07T13:31:07.49+00:00

Awesome! thank you

So policy (A) is currently active on +- 100 devices

Policy (B) is active on +- 200 devices

If i remove policy (A), is it possible to overwrite that 100 devices with policy (B) without having to decrypt all current policy (A) devices manually?
Marcin Policht 85,065 Reputation points MVP Volunteer Moderator

2026-04-07T14:04:44.3566667+00:00
Yep - AFAIK, you can move those 100 devices from policy A to policy B without decrypting the drives, but it depends on how different the policies are and how your management platform enforces compliance.

BitLocker does not require decryption just because the policy changes. If the drives are already encrypted and policy B is compatible with their current state, the devices will simply become compliant under the new policy without re-encryption.

The important detail is whether policy B demands settings that cannot be applied in-place. For example, changing encryption method from XTS-AES 128 to XTS-AES 256, or switching system drive authentication from TPM-only to TPM+PIN, would likely requires decryption and re-encryption. On the other hand, settings like requiring a recovery key backup, silent enablement, or allowing TPM-only would generally not require decryption if the device already meets or can remediate to those requirements.

When you remove policy A, the 100 devices will evaluate against policy B. If they are already compliant, I'd expect that nothing happens at that point. If they are not, Intune or Group Policy will attempt remediation. Some remediations happen in-place, like adding a missing recovery password protector, while others may fail or prompt for manual action if they require structural changes to encryption.

You can validate the current state on a sample device before switching by checking encryption method and protectors:

manage-bde -status C: manage-bde -protectors -get C:

If those align with what policy B requires, the transition should be seamless. If not, the mismatches that cannot be adjusted live would require decrypting and re-encrypting.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Vionne Joorst 0 Reputation points

2026-04-07T14:30:24.64+00:00

Thats Great news !

The policies are identical, except for 1 setting - Silent enable aka "Allow Warning for other Encryption"

The main goal was to enable this function, without disrupting the existing policy (B) which did not have silent enabling active.

So then we created policy (A) to see if we can run silent encryption in the backround, without any user intervention

We ran this successfully on around 100 (out of ±350) devices as mention before, so now we just want to remove the Test Policy which was Policy (A) and manage only one single encryption policy (B)

Hope this makes sense?

You have been a tremendous help!
Marcin Policht 85,065 Reputation points MVP Volunteer Moderator

2026-04-07T16:33:32.0733333+00:00

Yep - this makes sense. Since the only difference is the silent enablement setting, and the drives are already encrypted, that setting is no longer relevant for those 100 devices. Silent enablement only affects how BitLocker is initially turned on, not how an already encrypted device behaves afterward.

When you remove policy A, those devices should simply evaluate against policy B. Because the encryption state, method, and protectors are already in place and identical, they should become compliant without any re-encryption or user impact.

You might want to double-check that recovery keys are properly escrowed and that policy B does not enforce anything stricter than what’s already configured, but based on your description, the transition should work.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

2 Bitlocker Policies

1 answer

Your answer