question

EricU-3234 avatar image
1 Vote"
EricU-3234 asked LongdonZiggy-5605 commented

Remote wipe from Intune on a computer with Bitlocker enabled

In a couple of months, our firm is joining a few laptops to Azure AD Directory.

Because of the project standard, these machines would need to be enabled with Bitlocker.

I've tested the Remote wipe option from the Endpoint Manager admin console to

a test laptop device with Bitlocker enabled. The laptop reboots, then stops at the

screen needing a recovery key to proceed. In event if the laptop is stolen or lost,

I need to be able to remote wipe the computer. How can I achieve this?

mem-intune-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are having the same issue but different need. Wipe computer with bitlocker to re-use for another employee. Bitlocker recovery key entered and at log in page. Wipe command sent. Computer reboots to Bitlocker, you enter in the recovery key or hit escape and get the Choose an option screen: Continue, troubleshoot, use a device, turn off PC, or use another operating system. We can get it working by factory restore option at boot but would like this to work as well

0 Votes 0 ·
Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered

Sorry, not following why the above state is not acceptable? If the volume is locked and encrypted, no data is accessible by any malicious actor.

Also, after putting in the PIN, what state is the OS in? Is it reset? To clarify, there is no actual drive "wipe" functionality in Windows. A wipe request from Intune runs a Windows reset. See https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricU-3234 avatar image
1 Vote"
EricU-3234 answered

Yes I am doing a wipe request from Intune so it can run a Windows reset on the laptop, but before the laptop resets, a screen comes up on the laptop after reboot stating that it needs the Bitlocker recovery key first. If I do not have Bitlocker enabled on the laptop, the Windows reset from wipe request from Intune runs fine.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered

OK, so the reset isn't happening until a PIN is entered, correct? But, that still begs the question of what attack vector are you protecting against that isn't accounted for? The volume is locked and encrypted and if someone does manage to guess the PIN, the only thing that will happen is the wipe process will get kicked off immediately. Thus, there's no data leakage possible.

I can think of one scenario off-hand actually, but it's fairly contrived and not real-world IMO and still relies on someone guessing the PIN.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricU-3234 avatar image
1 Vote"
EricU-3234 answered

The reset isn't happening unless a recovery key, not a PIN, is entered. We will not be setting a PIN for the users or setting up how many times you enter a PIN wrong and it wipes the machine after many attempts. We have attempted this in our test labs and our management is not in agreement with this concept because not most users are going to remember their PIN number. What we are trying to achieve is, in event of a laptop or mobile device is stolen, a reset wipe request from Intune so it can run a Windows reset on a Bitlocker-enabled laptop, just wipe the laptop automatically while it is at an unknown location, as soon as the machine boot into Windows and has some sort of internet connection, then the wipe begins. I can achieve this on a laptop 'without Bitlocker on', but I would like to achieve this 'with Bitlocker on'. Is that possible? We are coming up on a security audit to make sure that our firm are security compliant for a couple of government projects, so that is why this issue is being raised currently.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered Jason-MSFT edited

OK, but the question remains. If the volume is encrypted and a recovery has been triggered, there's no possibility of data leakage here unless someone can somehow guess a crazy long recovery key and even if they do (which is unfathomable, it will simply trigger a wipe), so what's the goal here? If it's to protect the data on the volume, goal achieved.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricU-3234 avatar image
1 Vote"
EricU-3234 answered

The main goal is to protect the data on the volume for sure. But I also thought there were options that even though the data on the volume is protected with Bitlocker, you could also remote wipe that machine that had Bitlocker enabled in an event that the device was stolen or missing, but I see that is not possible, unless a PIN is created and how many attempts are set before it wipes. Trying to determine the best way forward. Thank you for your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bagitman-1090 avatar image
1 Vote"
Bagitman-1090 answered

Remote Wiping is not really needed as it can be circumvented, anyway. Take out the drive of a computer that you just stole... you think it will somehow magically wipe itself?

The recovery key is a 48 digit number and it cannot be broken in time (talking years, even if you had a supercomputer cluster which no attacker will be able to afford), so the process is ok without wiping. If the PIN can't be guessed (6 digits and up, random, TPM-lockout active), you are secure.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.