Intune bitlocker key after deletion of device

Christian Kruesi 216

We encrypt our Autopilot / Intune devices with bitlocker. I thought that this way the files on the device are secure and nobody can access them even while booting from a OS on a USB device. At the end of the lifecycle of a device we delete the devices in the Intune console. It looks like the bitlocker encryption is taken away by deleting a device. And booted from a OS on a USB device I can now access the former encrypted files. I have to double check with other devices if this is reproducable.
Is this normal behaviour? What would be the best way to secure the files on a deleted device? Do I have to manually wipe them with overwriting with random content like in times before disk encryption? Thanks for your help.

Accepted answer

Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-01-21T19:40:13.953+00:00

Just to circle back on this, a colleague of mine asked internally and validate that the functionality described here is expected. Specifically, if you delete the device from AAD and the device communicates with AAD again (nothing can happen if it doesn't communicate again as it would never know the AAD object was deleted), then the key protector is removed from the OS volume leaving BitLocker enabled but suspended. I'm going to add a note to the Intune docs on this. Thank you all for brining this up.
Please sign in to rate this answer.
Chris Gerke 11 Reputation points

2023-02-21T03:42:56.34+00:00

We have to be careful here to define what is being deleted, Christian mentioned Intune device and you mention AAD device, they two different objects although linked to the same physical machine.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

11 additional answers

Pavel yannara Mirochnitchenko 13,331 Reputation points MVP

2021-12-13T17:05:14.94+00:00

No that is not normal and should not behave like that. Before testing this again, make sure the device is really encrypted.
Please sign in to rate this answer.

1 person found this answer helpful.
Chris Gerke 11 Reputation points

2023-02-21T03:42:09.67+00:00

I see bitlocker being suspended too, I've contact Microsoft and they confirm this is by design.

Christian Kruesi 216 Reputation points

2023-02-21T06:14:40.94+00:00

And I still think that this is a bad design idea and definitively not "security first".

Chris Gerke 11 Reputation points

2023-02-21T09:36:36.67+00:00

Agreed. I can only assume this design decision was made to avoid a Personal device being encrypted and keys being lost. However if that was the case they should have distinguished between Corporate and Personal and have suspension only occur on Personal.

Christian Kruesi 216 Reputation points

2023-02-21T10:22:56.99+00:00

Exactly. Another way would be to let the admin choose like e.g. when wiping a device:

let the device be encrypted (recommended for corporate devices),

suspend bitlocker (recommended for personal devices)

Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2023-02-21T20:19:08.1933333+00:00

Correct on the reasoning for this functionality (although there are other possible scenarios with all of them relating to the BitLocker RK being stored in the AAD object and unrecoverable if that device object is deleted potentially leaving an org or individual in a data loss scenario). However, AAD does not make a personal v corporate distinction specifically because there really is no functional difference between personal or corporate for an AADJ endpoints. Generally speaking, you shouldn't join a personal device to AAD but there's nothing to stop an individual from doing so and no way for AAD to know this either and thus, it can (and does) happen accidentally or without forethought.

Ultimately, the bottom line here is that you should not ever delete a Windows endpoint from Intune unless you know that it is stale (or was never protected by BL). This is called out in the Intune docs and is a process change that orgs should educate themselves on and enforce just like other potentially destructive processes in their environment).

Chris Gerke 11 Reputation points

2023-02-21T22:22:47.4833333+00:00

What happens though with stolen/lost devices?

Scenario

device stolen

admins issue wipe

device stays offline for 90+ days (or x days higher than stale device window)

intune automatically removes device

Device is joined to internet at the lock screen

device doesn’t get wipe action as it’s no longer in intune? Or does it? Device gets command to suspend bitlocker? Or not?

Christian Kruesi 216 Reputation points

2023-02-22T06:33:28.2066667+00:00

Good scenario.

And even in this scenario it would be better to leave the device encrypted than to remote wipe it. Because a remote wipe is not a "secure wipe". See e.g. Rudy Ooms blog entry: https://call4cloud.nl/2022/03/ill-always-know-what-you-did-last-wipe/.

The best way would still be when the device would stay encrypted even if admins delete it from Intune (or are deleted by a device cleanup rule).

Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2023-02-22T17:42:28.79+00:00

@Chris Gerke Intune's automatic cleanup rules are not the same as manually initiating a device delete so this does not impact the scenario and the device will remain encrypted and present in AAD.

Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2023-02-22T17:44:40.54+00:00

@Christian Kruesi

The best way would still be when the device would stay encrypted even if admins delete it from Intune (or are deleted by a device cleanup rule).

I know you don't like this answer, but the best way is to not delete the device as noted unless you know the device no longer exists. Also, as just called out, device cleanup rules and not the same as deleting a device in Intune and thus will not trigger the suspension of BitLocker.

Chris Gerke 11 Reputation points

2023-02-22T23:34:26.7166667+00:00

Oh, cleanup rules don’t? I was told they do but haven’t been able to confirm yet, waiting for some test devices to age out. Are you 100% in that?

Christian Kruesi 216 Reputation points

2023-02-23T06:33:41.11+00:00

If cleanup rules don't suspend Bitlocker that would be a way to go. I would prefer if we could delete the device for oversight reasons. It would be way easier to compare the inventory with the devices connecting to Intune without failure.

Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2023-02-23T19:18:27.1166667+00:00

@Chris Gerke Yes, 100% sure. Cleanup rules effectively only "hide" the device object from the Intune console and other visibility mechanisms. What cleanup rules do is covered at https://techcommunity.microsoft.com/t5/device-management-in-microsoft/using-intune-device-cleanup-rules-amp-160/ba-p/377272

Chris Gerke 11 Reputation points

2023-02-24T05:14:15.7033333+00:00

Thanks Jason. I’ve submitted a PR to MS to update their memdocs https://github.com/MicrosoftDocs/memdocs/pull/3611#issuecomment-1442632453
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Pavel yannara Mirochnitchenko 13,331 Reputation points MVP

2021-12-13T17:09:33.117+00:00

I just did a small testing on my own, since I happen to have deleted device with existing OS. I started it with Win10 USB install media, went to command line and it does ask for Bitlocker recovery key.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Christian Kruesi 216 Reputation points

2021-12-14T06:12:33.353+00:00

Great, thank you for your fast answer. That would be good news - beside that I have to investigate, why one or some clients don't get the bitlocker profile. I will double-check with another device and report here.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Christian Kruesi 216 Reputation points

2021-12-14T09:54:43.633+00:00

Looks like it was really because of a non encrypted disk. Tested today with another device it stays encrypted. Weird. I checked in devices -> monitor -> Encryption report our encrypted computers and from our more than 800 computers there is 1 which is not encrypted. So it looks like the encryption profile is not 100% reliable and it seams that we've had a second one not encrypted, exactly the one I tested - Murphy's law.
Thank you for your help and sorry for wasting your time.
Please sign in to rate this answer.
Pavel yannara Mirochnitchenko 13,331 Reputation points MVP

2021-12-14T17:24:15.93+00:00

No worries. I had some problems with Bitlocker automation in Intune and I found out, that you really should use Disk Encryption configuration from new Endpoint Security node in Intune.

ps. remember to mark my reply as answer if you feel it like an answer.

Christian Kruesi 216 Reputation points

2021-12-15T06:24:19.583+00:00

I already marked your reply as answer. Thanks again for your help.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Intune bitlocker key after deletion of device

11 additional answers

Your answer