You can use enrollment restrictions in Intune to prevent personal Windows devices from enrolling in Intune.
How to disable Bitlocker for Azure AD registered machines
Students install Office 365 to their personal computers and agree the "Allow My Organization To Manage My Device”. Now we see their Windows 10 Home computers as Azure AD Registered with BitLocker keys in Intune.
This has caused data loss. Eg. a student upgraded his computer by moving the HDD from the old to the new computer, got a prompt to type BitLocker recovery key but had no idea that the key was or why he needed it. => Total reinstall.
You can create Bitlocker policy (Endpoint secury -> Disk encryption -> Create Policy) but there's nota n option to disable. Only choices are "Yes" and "Not configured".
3 answers
Sort by: Most helpful
-
-
Rahul Jindal [MVP] 10,286 Reputation points MVP
2022-01-31T21:40:34.017+00:00 Do you want to unmanage Bitlocker on personal Windows 10 devices or unmanage these personal devices altogether? If it is just Bitlocker, then you can create a device filter policy for personal Windows 10 devices and exclude this filter in your Bitlocker policy assignment. If you want to unmanage the personal Windows 10 devices then +1 to @Nick Hogarth 's suggestion to disallow enrollment against Windows 10 BYOD.
-
MMK 6 Reputation points
2022-05-10T06:28:51.503+00:00 Newest Windows versions, including Windows 10 Home, will silently encrypt hardisk after Windows installation. A clear key is stored on HDD.
manage-bde -stautus shows that HDD is encrypted but Protection status is off because the clear key i used.
Conversion Status: Used Space Only Encrypted Percentage Encrypted: 100,0% Encryption Method: XTS-AES 128 Protection Status: Protection Off
If you install O365 and agree the option "Allow My Organization To Manage My Device” which is checked by default, the clear key is removed from HDD and Bitlocker keys are store in AAD device object. All this is done fully automatically without user's knowledge. Now the protection status is "on".
Conversion Status: Used Space Only Encrypted Percentage Encrypted: 100,0% Encryption Method: XTS-AES 128 Protection Status: Protection On
Now if your laptop gets broken and for example a motherboads need to be replaced you need the Bitlocker recovery key from AAD. If it's deleted from AAD, you will lose all your data.
From Intune you can disable enrolling personal devices or you can disable the encryption from user's device.