MT.1123 - Ensure BitLocker full disk encryption is configured via Intune
Overviewβ
Ensure at least one Intune Disk Encryption policy enforces BitLocker with full disk encryption type.
BitLocker Drive Encryption protects data on Windows devices by encrypting the disk. However, BitLocker supports two encryption types that have very different security implications:
- Full disk encryption β encrypts the entire drive including free space. This is the recommended and secure option.
- Used space only encryption β only encrypts sectors currently holding data. This is dangerous on drives that previously contained unencrypted data, because previously deleted files remain as raw data in unencrypted free space. This data can be recovered using commonly available data recovery software (e.g., Recuva, PhotoRec, or forensic imaging tools). NTFS marks deleted file sectors as "free" but does not zero them out β the original bytes stay on disk until overwritten by new data.
Bottom line: If BitLocker is enabled with "Used space only" on a drive that already had data on it before encryption was turned on, that pre-existing deleted data is fully recoverable. Only "Full disk encryption" guarantees that the entire drive surface is protected.
This test queries the Intune Endpoint Security > Disk Encryption policies via the configurationPolicies Graph API and inspects the BitLocker CSP settings to verify that Enforce drive encryption type is set to Full encryption for OS drives.
Remediation action:β
- Navigate to Microsoft Intune admin center.
- Go to Endpoint security > Disk encryption.
- Click + Create policy.
- Set Platform to Windows 10 and later and Profile to BitLocker.
- Enter a policy name (e.g., "BitLocker - Full Disk Encryption").
- Configure the following settings:
- Require Device Encryption: Enabled
- Allow Warning For Other Disk Encryption: Disabled (enables silent encryption)
- Allow Standard User Encryption: Enabled
- Enforce drive encryption type on operating system drives: Enabled, set to Full encryption
- Enforce drive encryption type on fixed data drives: Enabled, set to Full encryption
- Choose drive encryption method and cipher strength: Enabled
- OS drives: XTS-AES 256-bit
- Fixed data drives: XTS-AES 256-bit
- Removable data drives: AES-CBC 256-bit
- Require additional authentication at startup: Enabled, with Require TPM
- Choose how BitLocker-protected OS drives can be recovered: Enabled, with backup to Entra ID
- Assign the policy to your device groups and click Create.
Related linksβ
- Microsoft Intune - Endpoint Security Disk Encryption
- Microsoft Learn - Encrypt devices with BitLocker in Intune
- Microsoft Learn - BitLocker CSP reference
- CIS Benchmark - Ensure BitLocker is enabled on all Windows devices
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1123 |
| Severity | High |
| Suite | Maester |
| Category | Intune |
| PowerShell test | Test-MtBitLockerFullDiskEncryption |
| Tags | Intune, Maester, MT.1123 |
Sourceβ
- Pester test:
tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1 - PowerShell source:
powershell/public/maester/intune/Test-MtBitLockerFullDiskEncryption.ps1