The following practices provide the best approach to removing security policies that have been deployed to devices.
Deleting a policy automatically removes the policy assignments. However, we recommend that you remove policy assignments before you delete a policy to see if the policy removal has any negative effects on the device. If so, the policy is still available to reassign.
When you remove a Microsoft Data Encryption policy from a device, folders encrypted by the policy are decrypted. However, removable data drives encrypted by the policy remain encrypted until they are decrypted using BitLocker management after providing the Unlock Password or a recovery key generated by BitLocker. The recovery key is not automatically generated when deploying the Microsoft Data Encryption Policy.
If you have user password control for removable data drives enabled in the policy at the time you disable or remove the policy, end users can use native BitLocker management to access or decrypt the drive at any time on any computer, whether managed by ZENworks or not, so long as they still know the password. If you have “No unlock password” set in the policy upon policy removal, any new login sessions following policy removal would require the BitLocker recovery key to access or decrypt the drive, which the user may not have.
We recommend the following best practice before removing the Microsoft Data Encryption Policy or any equivalent action such as policy deletion or agent removal:
Ensure one of the password options below is enabled in the policy and all policy assigned devices are refreshed if this is a change from the No unlock password setting.
Always prompt for the unlock password
Prompt for the password on first use
Notify all end users that use managed devices with the Microsoft Data Encryption Policy that mandatory encryption of removable drives by ZENworks via BitLocker will be disabled on their devices, and they should take one of the following actions after policy removal (which might require the Unlock Password) for any removable drives encrypted by ZENworks:
Generate and save a BitLocker recovery key for each encrypted drive to an accessible location after policy removable
Decrypt encrypted drives after policy removal
Move or copy any required files from the encrypted drives to an alternate and accessible location, which would make drive reformatting feasible