Remote wipe from Intune on a computer with Bitlocker enabled

Question

In a couple of months, our firm is joining a few laptops to Azure AD Directory.

Because of the project standard, these machines would need to be enabled with Bitlocker.

I've tested the Remote wipe option from the Endpoint Manager admin console to

a test laptop device with Bitlocker enabled. The laptop reboots, then stops at the

screen needing a recovery key to proceed. In event if the laptop is stolen or lost,

I need to be able to remote wipe the computer. How can I achieve this?

Answer 1

Remote Wiping is not really needed as it can be circumvented, anyway. Take out the drive of a computer that you just stole... you think it will somehow magically wipe itself?

The recovery key is a 48 digit number and it cannot be broken in time (talking years, even if you had a supercomputer cluster which no attacker will be able to afford), so the process is ok without wiping. If the PIN can't be guessed (6 digits and up, random, TPM-lockout active), you are secure.

Answer 2

Sorry, not following why the above state is not acceptable? If the volume is locked and encrypted, no data is accessible by any malicious actor.

Also, after putting in the PIN, what state is the OS in? Is it reset? To clarify, there is no actual drive "wipe" functionality in Windows. A wipe request from Intune runs a Windows reset. See https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

Answer 3

Yes I am doing a wipe request from Intune so it can run a Windows reset on the laptop, but before the laptop resets, a screen comes up on the laptop after reboot stating that it needs the Bitlocker recovery key first. If I do not have Bitlocker enabled on the laptop, the Windows reset from wipe request from Intune runs fine.

Answer 4

OK, so the reset isn't happening until a PIN is entered, correct? But, that still begs the question of what attack vector are you protecting against that isn't accounted for? The volume is locked and encrypted and if someone does manage to guess the PIN, the only thing that will happen is the wipe process will get kicked off immediately. Thus, there's no data leakage possible.

I can think of one scenario off-hand actually, but it's fairly contrived and not real-world IMO and still relies on someone guessing the PIN.

Answer 5

The reset isn't happening unless a recovery key, not a PIN, is entered. We will not be setting a PIN for the users or setting up how many times you enter a PIN wrong and it wipes the machine after many attempts. We have attempted this in our test labs and our management is not in agreement with this concept because not most users are going to remember their PIN number. What we are trying to achieve is, in event of a laptop or mobile device is stolen, a reset wipe request from Intune so it can run a Windows reset on a Bitlocker-enabled laptop, just wipe the laptop automatically while it is at an unknown location, as soon as the machine boot into Windows and has some sort of internet connection, then the wipe begins. I can achieve this on a laptop 'without Bitlocker on', but I would like to achieve this 'with Bitlocker on'. Is that possible? We are coming up on a security audit to make sure that our firm are security compliant for a couple of government projects, so that is why this issue is being raised currently.