This blog post is written in English, as it originates from an English request in Microsoft’s Q&A page: https://docs.microsoft.com/en-us/answers/questions/661335/intune-bitlocker-key-after-deletion-of-device.html.
A short introduction, how it came to this request.
In a normal Windows installation you cannot access the data of another user, because the permissions on files are regulated in the file system NTFS. However, if you access the files on the hard disk from another operating system (e.g. started from a USB stick), you can access all files.
When a device is taken out of service, the hard disk must be completely erased for security reason. For this purpose, it is overwritten one or more times with other data or zeros, this is called „wipe a disk“.
If a hard disk is encrypted, it is not possible to access the data from another operating system. It is therefore no longer necessary to wipe the hard disk – without the key, no one can view the encrypted files.
We have been encrypting our devices with BitLocker for some time, managed with Intune and Azure AD. So all’s well? Not quite. The original BitLocker encrypted disk „loses“ its encryption after you delete the device from Intune and Azure AD. So now someone could boot the device from a USB stick and sees all data stored on the disk.
This test was made with a hybrid joined device.
First I checked if the hard disk was really encrypted. In the screenshot you can see that the encryption of C: is enabled.
If you boot another operating system from a USB stick (here a Windows based on Win PE), you cannot access the contents of the hard disk. You would have to have the BitLocker password.
I then deleted the device from our local AD, from Intune, and also the Autopilot entry.
After some time I connected the device to wifi and just let it run. No one logged on. I assume that during this time it connects to Intune and syncs. I guess that’s when the decryption of the hard drive must happen.
Anyway, after this wifi connection the hard disk is no longer encrypted. If you boot the device from a USB stick again, you can access all files on the hard disk.
This is not at all the behavior that is desired. The hard disk should definitely remain encrypted for security reasons, even if the device is deleted from the admin portal.