Wednesday, May 25, 2022

Forgive Us Our BitLocker suspension

I decided to remove the part about the BitLocker issue when deleting the Intune object from my latest blog and dedicate a separate blog to it! While writing it all down, it overshadowed the other important stuff in that blog!

I will divide this blog into multiple parts

  1. Introduction
  2. What Happens when deleting the object
  3. Could we access the data?
  4. A Possible Solution?
  5. Conclusion

While trying to come up with a different solution when you don’t want to perform a remote wipe I was curious what would happen when we delete the Intune Object. Before showing you what is going to happen, let’s take a look at the BitLocker protection first to make sure BitLocker is configured and protection is enabled!

The easiest way to get the Bitlocker status would be to open a CMD and enter this command: Manage-bde -status

Instead of Remote wiping the device we are going to remove the Intune object because when the device is still configured with BitLocker we are safe right?

Let’s start by deleting the Intune object as shown below. Just select the proper device and click on “delete”

After I pressed delete, I just got myself a cup of coffee and waited to see what happened

11 'Mamma Mia' GIFs That Will Always Make You Feel Like a Dancing Queen |  Moviefone

After drinking a cup of coffee and some social talks with some colleagues I took another look at the BitLocker protection status.

When running Manage-bde -status again, it is telling us the Protection status is Off. Yes you read it correctly OFF not ON. Looking at the conversion status, it is luckily still fully encrypted.

Please Note: The Bitlocker-Api event log will also mention the event ID 773. Bitlocker was suspended for volume c:

So I decided to leave the device alone for a while and started to look into some other weird issues.

But after waiting for a while nothing else happened so I decided to start performing some tests.

I decided to start with attaching the disk to another device. Dismounting the disk and mounting it on another device prompted me for the BitLocker recovery keys. So that’s all fine!

After this test, I decided to reboot the device but this time I made sure I selected “Troubleshoot” when booting from my USB Windows 11 Installation media

After selecting the CMD option, I was curious if I could access the data but before I could access them I needed to assign it a drive letter. As shown below, while testing the drive was still fully encrypted but the Protection is Off

Normally when the disk is protected with BitLocker it’s impossible to access the disk and you would be asked to unlock the drive first

Let’s continue, after assigning a drive letter I was curious if we could access the disk, let’s take a look at what we can do with it!

As shown above, because the Bitlocker protection is off we are not prompted to unlock the drive. We could easily access the disk and open some files!

Should I tell you something funny? Just use Xcopy to copy all of that sensitive data to your USB stick!

After plugging the USB stick into another device, you will notice that the data is also readable!

Work In Progress

When deleting the Intune object, the BitLocker protection will be suspended! When it’s suspended you could easily access the data from WINRE! I guess when you have configured BitLocker with an Endpoint security profile, it’s not safe to delete the object when there is still sensitive data on the device! You will need to make sure the data is removed yourself!

Do It Yourself GIFs | Tenor
avatar
Rudy Oomshttps://call4cloud.nl/
Rudy is a Modern workplace architect and currently working for a company in the Netherlands, called Deltacom Steenbergen. He has been working in IT since he was 16 years old. Within these years, he gained a lot of experience in different kinds of expertise. I guess like most of you, he started working with active directory environments. In June 2021 he received the MVP status in the category Enterprise Mobility for the first time. The multi-tenant PowerShell scripted Deltacom-Cloud environment is one of his creations.

Related Articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

6,065FollowersFollow
5,933FollowersFollow

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Latest Articles