How to disable Bitlocker for Azure AD registered machines

Tavas Zervie 1 Reputation point
2022-01-30T15:52:47.283+00:00

Students install Office 365 to their personal computers and agree the "Allow My Organization To Manage My Device”. Now we see their Windows 10 Home computers as Azure AD Registered with BitLocker keys in Intune.

This has caused data loss. Eg. a student upgraded his computer by moving the HDD from the old to the new computer, got a prompt to type BitLocker recovery key but had no idea that the key was or why he needed it. => Total reinstall.

You can create Bitlocker policy (Endpoint secury -> Disk encryption -> Create Policy) but there's nota n option to disable. Only choices are "Yes" and "Not configured".

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,302 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Nick Hogarth 3,436 Reputation points
    2022-01-30T21:43:52.893+00:00

    You can use enrollment restrictions in Intune to prevent personal Windows devices from enrolling in Intune.

    2 people found this answer helpful.
    0 comments No comments

  2. Rahul Jindal [MVP] 10,286 Reputation points MVP
    2022-01-31T21:40:34.017+00:00

    Do you want to unmanage Bitlocker on personal Windows 10 devices or unmanage these personal devices altogether? If it is just Bitlocker, then you can create a device filter policy for personal Windows 10 devices and exclude this filter in your Bitlocker policy assignment. If you want to unmanage the personal Windows 10 devices then +1 to @Nick Hogarth 's suggestion to disallow enrollment against Windows 10 BYOD.


  3. MMK 6 Reputation points
    2022-05-10T06:28:51.503+00:00

    Newest Windows versions, including Windows 10 Home, will silently encrypt hardisk after Windows installation. A clear key is stored on HDD.

    manage-bde -stautus shows that HDD is encrypted but Protection status is off because the clear key i used.

     Conversion Status:    Used Space Only Encrypted
     Percentage Encrypted: 100,0%
     Encryption Method:    XTS-AES 128
     Protection Status:    Protection Off
    

    If you install O365 and agree the option "Allow My Organization To Manage My Device” which is checked by default, the clear key is removed from HDD and Bitlocker keys are store in AAD device object. All this is done fully automatically without user's knowledge. Now the protection status is "on".

     Conversion Status:    Used Space Only Encrypted
     Percentage Encrypted: 100,0%
     Encryption Method:    XTS-AES 128
     Protection Status:    Protection On
    

    Now if your laptop gets broken and for example a motherboads need to be replaced you need the Bitlocker recovery key from AAD. If it's deleted from AAD, you will lose all your data.

    From Intune you can disable enrolling personal devices or you can disable the encryption from user's device.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.