I decided to remove the part about the BitLocker issue when deleting the Intune object from my latest blog and dedicate a separate blog to it! While writing it all down, it overshadowed the other important stuff in that blog!
I will divide this blog into multiple parts
- Introduction
- What Happens when deleting the object
- Could we access the data?
- A Possible Solution?
- Conclusion
While trying to come up with a different solution when you don’t want to perform a remote wipe I was curious what would happen when we delete the Intune Object. Before showing you what is going to happen, let’s take a look at the BitLocker protection first to make sure BitLocker is configured and protection is enabled!
The easiest way to get the Bitlocker status would be to open a CMD and enter this command: Manage-bde -status
Instead of Remote wiping the device we are going to remove the Intune object because when the device is still configured with BitLocker we are safe right?
Let’s start by deleting the Intune object as shown below. Just select the proper device and click on “delete”
After I pressed delete, I just got myself a cup of coffee and waited to see what happened
After drinking a cup of coffee and some social talks with some colleagues I took another look at the BitLocker protection status.
When running Manage-bde -status again, it is telling us the Protection status is Off. Yes you read it correctly OFF not ON. Looking at the conversion status, it is luckily still fully encrypted.
Please Note: The Bitlocker-Api event log will also mention the event ID 773. Bitlocker was suspended for volume c:
So I decided to leave the device alone for a while and started to look into some other weird issues.
But after waiting for a while nothing else happened so I decided to start performing some tests.
I decided to start with attaching the disk to another device. Dismounting the disk and mounting it on another device prompted me for the BitLocker recovery keys. So that’s all fine!
After this test, I decided to reboot the device but this time I made sure I selected “Troubleshoot” when booting from my USB Windows 11 Installation media
After selecting the CMD option, I was curious if I could access the data but before I could access them I needed to assign it a drive letter. As shown below, while testing the drive was still fully encrypted but the Protection is Off
Normally when the disk is protected with BitLocker it’s impossible to access the disk and you would be asked to unlock the drive first
Let’s continue, after assigning a drive letter I was curious if we could access the disk, let’s take a look at what we can do with it!
As shown above, because the Bitlocker protection is off we are not prompted to unlock the drive. We could easily access the disk and open some files!
Should I tell you something funny? Just use Xcopy to copy all of that sensitive data to your USB stick!
After plugging the USB stick into another device, you will notice that the data is also readable!
Work In Progress
When deleting the Intune object, the BitLocker protection will be suspended! When it’s suspended you could easily access the data from WINRE! I guess when you have configured BitLocker with an Endpoint security profile, it’s not safe to delete the object when there is still sensitive data on the device! You will need to make sure the data is removed yourself!
