Thanks for your post!
Is there any solution for a Global Admin in Microsoft 365 to prevent private computers being Azure AD registered, or prevent Bitlocker activating for Azure AD registered computers?
Short answer: not really, but there are some options available depending on your end goal.
If you want to unmanage the devices altogether, you can use enrollment restrictions in Intune to prevent personal Windows devices from enrolling in Intune. Or you can disable the encryption from the device itself, as mentioned here.
Otherwise there is an endpoint protection policy where you can set Bitlocker to "Not configured" under Endpoint security > Disk encryption > Create Policy. But there is no option there to disable it entirely and users who select "Allow My Organization To Manage My Device” may still end up with devices that are registered with Bitlocker keys in Intune.
The Bitlocker process is a automated process in Windows and does not need any policy to get enabled. Bitlocker will automatically encrypt the device and back up the recovery key in the following scenarios:
1) When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
2) If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
3) If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives Group Policy setting, and select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
4) Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
This is partly a security measure because if the device gets broken you need the Bitlocker recovery key from Azure AD and if it's deleted from Azure AD, you will lose your data.
I am happy to share your feedback along to the product team if you feel that improvements should be made to the available options.
Resources:
Overview of BitLocker Device Encryption in Windows
How to disable Bitlocker for Azure AD Registered machines
Disable Bitlocker for BYOD
-
If the information helped you, please Accept the answer. This will help us and other community members as well.
