Changes to BitLocker Reset Process for Re-used Windows Autopilot Devices in Microsoft Intune

In an effort to enhance security measures and streamline processes, Microsoft Intune is set to introduce modifications to the way BitLocker resets are handled for re-used Windows Autopilot devices. These changes are expected to come into effect with the September (2309) service release, aiming to improve the overall security posture of organizations utilizing Windows Autopilot and BitLocker encryption.


Previously, users enjoyed the convenience of self-servicing access to the BitLocker recovery key when re-using devices configured through Windows Autopilot. This feature allowed for a seamless recovery process, ensuring users could easily regain access to their data in case of device restore or reset. However, Microsoft’s forthcoming adjustment will require users to take a different approach.

Post the implementation of this change as mentioned inMC667125 , individuals seeking to restore or access the BitLocker recovery key on re-used Windows Autopilot devices will be required to contact their respective IT administrators. This adjustment underlines Microsoft’s commitment to elevating security standards and ensuring a controlled approach to accessing sensitive data.

For IT administrators, the transition to the new BitLocker reset process will introduce a few noteworthy alterations. Full access to recovery keys will remain intact both before and after the change. Nevertheless, administrators will now need to explicitly grant access to the self-service BitLocker recovery key on a per-user basis. This process involves authorizing users to unlock their BitLocker-encrypted devices, streamlining the management of access control and bolstering data protection.

Specifically addressing scenarios where an IT admin reallocates a Windows device to a new user, a series of steps should be taken to ensure the transition is seamless. Firstly, it’s essential to update the user’s information within Azure Active Directory (AD) and Intune. This update will enable a smoother handover of device ownership and access rights. Moreover, administrators should actively authorize self-service BitLocker recovery for the user in question, ensuring that they retain access to their encrypted data without compromising security.

It’s important to note that these changes will exclusively impact users who were previously granted self-service recovery of BitLocker keys during Autopilot. This applies specifically to situations involving device restoration or reset. For the majority of users, who haven’t been granted such privileges, the transition will likely go unnoticed.

To facilitate a seamless adaptation to these impending changes, organizations are encouraged to take proactive measures. To start, notifying the helpdesk about the upcoming modifications is crucial, as it will help support staff prepare for potential user inquiries. Additionally, organizations should update their documentation to reflect the new procedures.

Leave a comment

Your email address will not be published. Required fields are marked *

eleven + 4 =