Back to GSO Recommendations

Windows BitLocker Encryption: Lost or Stolen Device Data Exposure

Why this risk matters

BitLocker encrypts the contents of a Windows device's hard drive so that, without the correct decryption key, the data is unreadable. On an unencrypted device, anyone with physical access can remove the hard drive, boot from external media, or use forensic tools to read every file on the disk — regardless of Windows login passwords, which are trivially bypassed outside of the operating system.

Device loss and theft are among the most common causes of data breaches in organisations with distributed workforces. A laptop left in a taxi, stolen from a car, or taken from a co-working space represents a complete data exposure event if BitLocker isn't active. The data on that device — emails, documents, cached credentials, browser sessions, and local copies of cloud files — is accessible to whoever has the physical machine.

BitLocker managed through Intune with recovery keys escrowed to Entra ID is the standard for modern managed Windows environments. It is low-friction, transparent to users once configured, and provides compliance evidence that the device's data is protected at rest.

What happens if this is abused

  • Lost or stolen device gives attacker complete access to all files, emails, and locally cached data on the device's storage without needing to crack Windows credentials
  • Cached browser credentials, saved passwords, and locally stored tokens may be extractable from the unencrypted drive
  • Local copies of OneDrive or SharePoint files synced to the device are exposed
  • Locally cached Exchange data (OST files) contains a full offline copy of the user's recent emails and attachments
  • Device certificates and private keys used for VPN or other authentication may be extractable from an unencrypted device
  • Regulatory and contractual breach notification obligations may be triggered by the exposure of unencrypted personal data

When this is expected or acceptable

BitLocker is appropriate for virtually all Windows managed devices. Very limited exceptions:

  • Stationary desktops in physically secured facilities where physical theft is not a realistic risk may not require encryption, though it is still recommended for defence in depth
  • Devices with very old hardware that doesn't support TPM 2.0 may have BitLocker limitations — these devices should generally be replaced rather than left unencrypted
  • Shared kiosk or lab devices with no user data may warrant a different approach, though encryption is still generally recommended

In most managed environments, there is no good reason not to have BitLocker enabled. The performance impact on modern hardware is negligible and the deployment is fully automated through Intune.

Checks to perform before taking action

  • In Intune, check whether a BitLocker configuration profile is deployed and what its current scope and compliance rate is
  • Review the device encryption report (Intune > Devices > Monitor > Encryption report) to identify unencrypted managed devices
  • Confirm that BitLocker recovery keys are being escrowed to Entra ID — this is essential for helpdesk-assisted recovery when users forget their PIN or need to recover from hardware failure
  • Check whether TPM requirements are configured — BitLocker with TPM provides stronger protection than software-only encryption
  • Identify devices where encryption has failed or been suspended and investigate the cause before re-deploying

Safe remediation steps

  1. Create or review a BitLocker configuration profile in Intune (Endpoint security > Disk encryption > Create policy > Windows > BitLocker)
  2. Configure: require device encryption, require TPM, enable startup PIN or key for higher-security environments, and set recovery key escrow to Entra ID
  3. Assign the profile to All devices (or your managed device group)
  4. Devices that are not yet encrypted will begin encryption silently in the background — this has minimal impact on device performance on modern hardware
  5. Monitor the encryption report to track rollout progress and identify any devices that fail to encrypt
  6. For devices that fail to encrypt, review the Intune device log to identify the cause (hardware compatibility, suspended BitLocker, policy conflict)
  7. Confirm recovery keys are visible in Entra ID for all encrypted devices before considering the rollout complete

Supporting documentation

Microsoft: Use Intune policy to manage BitLocker disk encryption

Microsoft: Monitor device encryption with Intune

Microsoft: BitLocker overview

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Devices Overview — review the broader managed device posture alongside BitLocker compliance
  • Intune Policy Coverage Gaps — BitLocker is one of several baseline Intune policies; review overall policy coverage
  • Windows Hello for Business — pairing BitLocker with passwordless sign-in removes credential-based attack surface alongside physical device protection
  • Windows Local Admin Control — an unencrypted device with a local admin account is a particularly high-risk combination
TBD CTA