memdocs icon indicating copy to clipboard operation
memdocs copied to clipboard
Published 2 months ago verified publisher icon MicrosoftDocs

Incorrect Statement - Devices DO-NOT Suspend BitLocker when the AAD object is deleted.

Open deadthirsty opened this issue 3 years ago • 0 comments

https://github.com/MicrosoftDocs/memdocs/blob/main/memdocs/intune/protect/encrypt-devices.md

Believe the below statement from the above page is incorrect:

NOTE: If you delete the Azure AD object for an Azure AD joined device protected by BitLocker, the next time that device syncs with Azure AD it will remove the key protectors for the operating system volume. Removing the key protector leaves BitLocker in a suspended state on that volume. This is necessary because BitLocker recovery information for Azure AD joined devices is attached to the Azure AD computer object and deleting it may leave you unable to recover from a BitLocker recovery event.

Devices DO-NOT Suspended BitLocker when the AAD object is deleted. From testing, simply deleting the AAD object has no bearing on the status of BitLocker Encryption on a managed client.

However, devices DO suspend BitLocker if the device is removed from Intune management via a retire or delete action, or simply removed from management locally. The next time the device syncs with Intune it is un-enrolled client-side which DOES suspend BitLocker.

deadthirsty avatar Aug 06 '22 17:08 deadthirsty