Forum Discussion

Mitul Sinha's avatar
Mitul Sinha
Iron Contributor
Jul 22, 2019
Solved

Microsoft Bitlocker Management from Intune

Howdy Folks!   I guess everyone is doing well with the Microsoft as all of you might got inspired much from the session last week held in Las Vegas(Microsoft Inspire)!!   Though I missed it every...
Bitlocker Encryption
microsoft intune
  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    Jul 30, 2019

    Hey Mitul Sinha,

     

    then I think your test setup had a different problem because there is no dependency on MFA for BitLocker enablement. To really confirm my statement I verified it in my test tenant right now. I disabled all MFA (AADJ & WHfB), enrolled a device, didn't see any MFA prompt (no MFA at all) and my BitLocker policies in Intune enabled encryption and my AADJ device is encrypted. BitLocker key is in AAD and everything is fine in the Intune portal (green icons - configurations successful applied).

     

    So, again BitLocker has no dependency to MFA and can be enabled without MFA. Your problem in your tests seems to be rooted somewhere else.

     

    Key rotation is currently not available but BitLocker is functional without MFA.

     

    best,

    Oliver

Oliver Kieselbach's avatar
Oliver Kieselbach
MVP
Jul 29, 2019

Hey Mitul Sinha,

 

as far as I know it, there is no option to disable this. It is designed as a self-service with no option to disable it in the portal.

 

best,
Oliver

  • Mitul Sinha's avatar
    Mitul Sinha
    Iron Contributor
    Jul 30, 2019
    But I don't understand even after not setting up the MFA policies from Azure AD still It is asked once you sign in with the new profile to achieve Bitlocker via Azure AD Domain Join. Suppose Customer is not interested in getting the MFA then how we can remove it?
    • Mitul Sinha's avatar
      Mitul Sinha
      Iron Contributor
      Jul 30, 2019

      And there is one more question Oliver Kieselbach  just clicked on my mind..Suppose BitLocker PIN if I reset it then will it generate the new recovery key or store the new recovery key in my apps.microsoft.com or not?

      • Oliver Kieselbach's avatar
        Oliver Kieselbach
        MVP
        Jul 30, 2019

        Hey Mitul Sinha,

         

        what do you mean by MFA and BitLocker exactly? You can disable Windows Hello for Business, which would enforce you to do MFA for the Hello PIN creation (this PIN is only for WHfB!) and disable the AADJ MFA requirement, then you end up in a situation, that you can enroll a device without doing MFA. With the correct BitLocker policies in place, the Intune device will get encrypted and the key will backup to AAD.

        A key rotation like MBAM implemented this for domain joined clients, is currently not available. Although, the implementation with MBAM was a key rotation after BitLocker key usage, not the BitLocker pre-boot PIN reset. The pre-boot BitLocker PIN is used to protect access to the TPM further. While TPM-only verifies just the integrity of the platform (hardware and a few firmware/software components) to control access to the TPM. So, even in the domain join scenario pre-boot auth PIN reset (aka BitLocker PIN reset) did not rotate the BitLocker recovery key. Native BitLocker key rotation in Intune is currently not available.

         

        best,

        Oliver

Resources