question

tartor321 avatar image
0 Votes"
tartor321 asked vipulsparsh-MSFT commented

Disable Bitlocker for Azure AD registered machine

Hey guys,

We have a user's machine that's a BYOD and the join type is Azure AD registered

Recently it got locked by bitlocker after doing windows updates!

To troubleshoot I managed to find that their machine to appear in our Azure tenant along with the bitlocker key so I managed to obviously unlock the machine

I've looked at the endpoint manager (https://endpoint.microsoft.com/) but we don't have any policies in place. Additionally there's only a small handful of devices that appear there whereas if I look at the devices at AAD, there are thousands plus the bitlocker key!

My question is where in Azure is this enforced? Is it by default? If so is there documentation on it?

azure-active-directoryazure-ad-device-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@tartor321 Thanks for reaching out and apologies for the delay.

The Bitlocker process is a automated process in windows and does not need any policy to get enabled. Bitlocker will automatically encrypt the device and back up the recovery key in following scenario :

1) If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.


2) If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives Group Policy setting, and select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.


3) Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.


You can read about this automated process in detail here : https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10
and a way to stop is is mentioned here : https://timmyit.com/2019/08/13/intune-issue-allow-standard-users-to-enable-encryption-during-azure-ad-join/



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi

Thanks for the response

In my case bitlocker was enabled for the user as it was joined to Azure AD. I understand this is a default process unless I use Intune to make exceptions, is that correct?

0 Votes 0 ·

@tartor321 Yes, you are correct.







Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·