feat: Add MT.1123 - BitLocker encryption policy check (#intune)

Author: OfirGavish

powershell/Maester.psd1

@@ -181,6 +181,7 @@
     'Test-MtAppleVolumePurchaseProgramToken',
     'Test-MtCertificateConnectors', 'Test-MtFeatureUpdatePolicy',
     'Test-MtIntuneDiagnosticSettings', 'Test-MtIntuneRbacGroupsProtected',
+    'Test-MtBitLockerFullDiskEncryption',
     'Test-MtMdmAuthority', 'Test-MtMobileThreatDefenseConnectors',
     'Test-MtTenantCustomization', 'Test-MtWindowsDataProcessor',
     'Test-MtXspmCriticalCredsOnDevicesWithNonCriticalAccounts',

powershell/public/maester/intune/Test-MtBitLockerFullDiskEncryption.md

@@ -0,0 +1,42 @@
+Ensure at least one Intune Disk Encryption policy enforces BitLocker with **full disk encryption type**.
+
+BitLocker Drive Encryption protects data on Windows devices by encrypting the disk.
+However, BitLocker supports two encryption types that have very different security implications:
+
+- **Full disk encryption** — encrypts the entire drive including free space. This is the recommended and secure option.
+- **Used space only encryption** — only encrypts sectors currently holding data. **This is dangerous on drives that previously contained unencrypted data**, because previously deleted files remain as raw data in unencrypted free space. This data can be recovered using commonly available data recovery software (e.g., Recuva, PhotoRec, or forensic imaging tools). NTFS marks deleted file sectors as "free" but does not zero them out — the original bytes stay on disk until overwritten by new data.
+
+**Bottom line:** If BitLocker is enabled with "Used space only" on a drive that already had data on it before encryption was turned on, that pre-existing deleted data is fully recoverable. Only "Full disk encryption" guarantees that the entire drive surface is protected.
+
+This test queries the Intune **Endpoint Security > Disk Encryption** policies via the `configurationPolicies` Graph API and inspects the BitLocker CSP settings to verify that **Enforce drive encryption type** is set to **Full encryption** for OS drives.
+
+#### Remediation action:
+
+1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com).
+2. Go to **Endpoint security** > **Disk encryption**.
+3. Click **+ Create policy**.
+4. Set **Platform** to **Windows 10 and later** and **Profile** to **BitLocker**.
+5. Enter a policy name (e.g., "BitLocker - Full Disk Encryption").
+6. Configure the following settings:
+   - **Require Device Encryption**: **Enabled**
+   - **Allow Warning For Other Disk Encryption**: **Disabled** (enables silent encryption)
+   - **Allow Standard User Encryption**: **Enabled**
+   - **Enforce drive encryption type on operating system drives**: **Enabled**, set to **Full encryption**
+   - **Enforce drive encryption type on fixed data drives**: **Enabled**, set to **Full encryption**
+   - **Choose drive encryption method and cipher strength**: **Enabled**
+     - OS drives: **XTS-AES 256-bit**
+     - Fixed data drives: **XTS-AES 256-bit**
+     - Removable data drives: **AES-CBC 256-bit**
+   - **Require additional authentication at startup**: **Enabled**, with **Require TPM**
+   - **Choose how BitLocker-protected OS drives can be recovered**: **Enabled**, with backup to Entra ID
+7. Assign the policy to your device groups and click **Create**.
+
+#### Related links
+
+- [Microsoft Intune - Endpoint Security Disk Encryption](https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/diskEncryption)
+- [Microsoft Learn - Encrypt devices with BitLocker in Intune](https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices)
+- [Microsoft Learn - BitLocker CSP reference](https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp)
+- [CIS Benchmark - Ensure BitLocker is enabled on all Windows devices](https://www.cisecurity.org/benchmark/microsoft_intune_for_windows)
+
+<!--- Results --->
+%TestResult%

powershell/public/maester/intune/Test-MtBitLockerFullDiskEncryption.ps1

@@ -0,0 +1,212 @@
+function Test-MtBitLockerFullDiskEncryption {
+    <#
+    .SYNOPSIS
+    Ensure at least one Intune Disk Encryption policy enforces BitLocker with full disk encryption type.
+
+    .DESCRIPTION
+    Checks Intune Endpoint Security Disk Encryption policies (configurationPolicies API) for BitLocker
+    profiles that enforce full disk encryption rather than "Used space only" encryption.
+
+    BitLocker supports two encryption types with very different security implications:
+    - "Full disk encryption" — encrypts the entire drive including free space. This is the secure option.
+    - "Used space only encryption" — only encrypts sectors currently holding data. Previously deleted
+      files that were written before encryption was enabled remain in unencrypted free space and can be
+      recovered using data recovery software (e.g., Recuva, PhotoRec, or forensic tools). This is because
+      NTFS marks sectors as free but does not zero them out — the raw data stays on disk until overwritten.
+
+    This test queries the configurationPolicies Graph API (used by Endpoint Security > Disk Encryption)
+    which exposes the actual BitLocker CSP settings including:
+    - SystemDrivesEncryptionType (OS drive encryption type: full vs used space only)
+    - FixedDrivesEncryptionType (fixed drive encryption type: full vs used space only)
+    - RequireDeviceEncryption (require BitLocker encryption)
+    - EncryptionMethodByDriveType (cipher strength: XTS-AES 128/256, AES-CBC 128/256)
+
+    The test passes only if at least one BitLocker Disk Encryption policy has the OS drive encryption
+    type set to "Full encryption". It fails if no policies exist, if encryption type is set to
+    "Used space only", or if the encryption type setting is not configured.
+
+    .EXAMPLE
+    Test-MtBitLockerFullDiskEncryption
+
+    Returns true if at least one Disk Encryption policy enforces full disk encryption for OS drives.
+
+    .LINK
+    https://maester.dev/docs/commands/Test-MtBitLockerFullDiskEncryption
+    #>
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (-not (Get-MtLicenseInformation -Product Intune)) {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedIntune
+        return $null
+    }
+
+    try {
+        # Query Endpoint Security Disk Encryption policies (configurationPolicies API)
+        $policies = Invoke-MtGraphRequest -RelativeUri 'deviceManagement/configurationPolicies' -ApiVersion beta
+
+        # Filter to BitLocker Disk Encryption policies by template family
+        $bitLockerPolicies = $policies | Where-Object {
+            $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' -and
+            $_.templateReference.templateDisplayName -eq 'BitLocker'
+        }
+
+        if (-not $bitLockerPolicies -or $bitLockerPolicies.Count -eq 0) {
+            $testResultMarkdown = "No Endpoint Security Disk Encryption (BitLocker) policies found in Intune.`n`n"
+            $testResultMarkdown += "Create a BitLocker policy under **Endpoint Security > Disk Encryption** with "
+            $testResultMarkdown += "**Enforce drive encryption type** set to **Full encryption** for OS and fixed data drives."
+            Add-MtTestResultDetail -Result $testResultMarkdown
+            return $false
+        }
+
+        # Setting definition IDs for BitLocker CSP settings
+        $osEncryptionTypeId = 'device_vendor_msft_bitlocker_systemdrivesencryptiontype'
+        $osEncryptionTypeDropdownId = 'device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name'
+        $fixedEncryptionTypeId = 'device_vendor_msft_bitlocker_fixeddrivesencryptiontype'
+        $fixedEncryptionTypeDropdownId = 'device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdeencryptiontypedropdown_name'
+        $requireEncryptionId = 'device_vendor_msft_bitlocker_requiredeviceencryption'
+        $encryptionMethodId = 'device_vendor_msft_bitlocker_encryptionmethodbydrivetype'
+        $osEncryptionMethodDropdownId = 'device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name'
+
+        # Encryption type value suffixes: _0 = Allow user to choose, _1 = Full encryption, _2 = Used Space Only
+        $encryptionTypeLabels = @{
+            '_0' = 'Allow user to choose'
+            '_1' = 'Full encryption'
+            '_2' = 'Used Space Only'
+        }
+
+        # Encryption method value suffixes: _3=AES-CBC 128, _4=AES-CBC 256, _6=XTS-AES 128, _7=XTS-AES 256
+        $encryptionMethodLabels = @{
+            '_3' = 'AES-CBC 128-bit'
+            '_4' = 'AES-CBC 256-bit'
+            '_6' = 'XTS-AES 128-bit'
+            '_7' = 'XTS-AES 256-bit'
+        }
+
+        $policyResults = @()
+        $hasFullEncryption = $false
+
+        foreach ($policy in $bitLockerPolicies) {
+            # Fetch settings for this policy with definitions expanded
+            $settingsUri = "deviceManagement/configurationPolicies('$($policy.id)')/settings?`$expand=settingDefinitions&top=1000"
+            $settingsResponse = Invoke-MtGraphRequest -RelativeUri $settingsUri -ApiVersion beta
+
+            $policyDetail = @{
+                Name               = $policy.name
+                RequireEncryption  = 'Not configured'
+                OsEncryptionType   = 'Not configured'
+                FixedEncryptionType = 'Not configured'
+                OsEncryptionMethod = 'Not configured'
+            }
+
+            foreach ($setting in $settingsResponse) {
+                $defId = $setting.settingInstance.settingDefinitionId
+
+                # Check RequireDeviceEncryption
+                if ($defId -eq $requireEncryptionId) {
+                    $val = $setting.settingInstance.choiceSettingValue.value
+                    if ($val -like '*_1') {
+                        $policyDetail.RequireEncryption = 'Enabled'
+                    } else {
+                        $policyDetail.RequireEncryption = 'Disabled'
+                    }
+                }
+
+                # Check OS drive encryption type (SystemDrivesEncryptionType)
+                if ($defId -eq $osEncryptionTypeId) {
+                    $parentVal = $setting.settingInstance.choiceSettingValue.value
+                    if ($parentVal -like '*_1') {
+                        # Enabled — check the child dropdown for the actual encryption type
+                        $children = $setting.settingInstance.choiceSettingValue.children
+                        foreach ($child in $children) {
+                            if ($child.settingDefinitionId -eq $osEncryptionTypeDropdownId) {
+                                $dropdownVal = $child.choiceSettingValue.value
+                                foreach ($suffix in $encryptionTypeLabels.Keys) {
+                                    if ($dropdownVal -like "*$suffix") {
+                                        $policyDetail.OsEncryptionType = $encryptionTypeLabels[$suffix]
+                                        if ($suffix -eq '_1') { $hasFullEncryption = $true }
+                                    }
+                                }
+                            }
+                        }
+                    } else {
+                        $policyDetail.OsEncryptionType = 'Disabled'
+                    }
+                }
+
+                # Check Fixed drive encryption type (FixedDrivesEncryptionType)
+                if ($defId -eq $fixedEncryptionTypeId) {
+                    $parentVal = $setting.settingInstance.choiceSettingValue.value
+                    if ($parentVal -like '*_1') {
+                        $children = $setting.settingInstance.choiceSettingValue.children
+                        foreach ($child in $children) {
+                            if ($child.settingDefinitionId -eq $fixedEncryptionTypeDropdownId) {
+                                $dropdownVal = $child.choiceSettingValue.value
+                                foreach ($suffix in $encryptionTypeLabels.Keys) {
+                                    if ($dropdownVal -like "*$suffix") {
+                                        $policyDetail.FixedEncryptionType = $encryptionTypeLabels[$suffix]
+                                    }
+                                }
+                            }
+                        }
+                    } else {
+                        $policyDetail.FixedEncryptionType = 'Disabled'
+                    }
+                }
+
+                # Check encryption method (cipher strength)
+                if ($defId -eq $encryptionMethodId) {
+                    $parentVal = $setting.settingInstance.choiceSettingValue.value
+                    if ($parentVal -like '*_1') {
+                        $children = $setting.settingInstance.choiceSettingValue.children
+                        foreach ($child in $children) {
+                            if ($child.settingDefinitionId -eq $osEncryptionMethodDropdownId) {
+                                $methodVal = $child.choiceSettingValue.value
+                                foreach ($suffix in $encryptionMethodLabels.Keys) {
+                                    if ($methodVal -like "*$suffix") {
+                                        $policyDetail.OsEncryptionMethod = $encryptionMethodLabels[$suffix]
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+
+            $policyResults += $policyDetail
+        }
+
+        # Build result markdown
+        $testResultMarkdown = "Found $($bitLockerPolicies.Count) BitLocker Disk Encryption policy/policies in Intune.`n`n"
+        $testResultMarkdown += "| Policy | Require Encryption | OS Encryption Type | Fixed Encryption Type | OS Cipher |`n"
+        $testResultMarkdown += "| --- | --- | --- | --- | --- |`n"
+        foreach ($p in $policyResults) {
+            $testResultMarkdown += "| $($p.Name) | $($p.RequireEncryption) | $($p.OsEncryptionType) | $($p.FixedEncryptionType) | $($p.OsEncryptionMethod) |`n"
+        }
+
+        if ($hasFullEncryption) {
+            $testResultMarkdown += "`n**Result:** At least one BitLocker policy enforces **Full encryption** for OS drives."
+
+            # Warn if any policy uses Used Space Only
+            $usedSpaceOnly = $policyResults | Where-Object { $_.OsEncryptionType -eq 'Used Space Only' }
+            if ($usedSpaceOnly) {
+                $testResultMarkdown += "`n`n> **Warning:** $($usedSpaceOnly.Count) policy/policies use **Used Space Only** encryption. "
+                $testResultMarkdown += "Previously deleted data remains recoverable from unencrypted free space on those devices."
+            }
+
+            Add-MtTestResultDetail -Result $testResultMarkdown
+            return $true
+        } else {
+            $testResultMarkdown += "`n**Result:** No BitLocker policy enforces **Full encryption** for OS drives.`n`n"
+            $testResultMarkdown += "> **Risk:** If 'Used space only' encryption is configured (or encryption type is not enforced), "
+            $testResultMarkdown += "data written to the disk before BitLocker was enabled remains as raw unencrypted data in free space "
+            $testResultMarkdown += "and can be recovered using commonly available data recovery tools (Recuva, PhotoRec, forensic imaging)."
+            Add-MtTestResultDetail -Result $testResultMarkdown
+            return $false
+        }
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}

tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1

@@ -61,4 +61,11 @@ Describe "Maester/Intune" -Tag "Maester", "Intune" {
             $result | Should -Be $true -Because "MDM Authority is set to Intune."
         }
     }
+
+    It "MT.1123: Ensure BitLocker full disk encryption is configured" -Tag "MT.1123" {
+        $result = Test-MtBitLockerFullDiskEncryption
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "at least one Intune Endpoint Protection profile enforces BitLocker full disk encryption."
+        }
+    }
 }

tests/maester-config.json

@@ -1349,6 +1349,11 @@
       "Severity": "Medium",
       "Title": "AI agents should not have orphaned ownership"
     },
+    {
+      "Id": "MT.1123",
+      "Severity": "High",
+      "Title": "Ensure BitLocker full disk encryption is configured via Intune"
+    },
     {
       "Id": "ORCA.100",
       "Severity": "Medium",

website/versioned_docs/version-2.0.0/tests/maester/MT.1123.md

@@ -0,0 +1,41 @@
+---
+title: MT.1123 - Ensure BitLocker full disk encryption is configured via Intune
+description: Checks if at least one Intune Endpoint Protection profile enforces BitLocker full disk encryption for OS and fixed data drives.
+slug: /tests/MT.1123
+sidebar_class_name: hidden
+---
+
+# Ensure BitLocker full disk encryption is configured via Intune
+
+## Description
+
+BitLocker Drive Encryption protects data on Windows devices, but the **encryption type** setting is critical:
+
+- **Full disk encryption** — encrypts the entire drive including free space. This is the secure option.
+- **Used space only encryption** — only encrypts sectors currently holding data. Previously deleted files that existed before encryption was enabled remain as raw data in unencrypted free space and **can be recovered using data recovery software** (e.g., Recuva, PhotoRec, forensic imaging tools). This happens because NTFS marks deleted sectors as "free" but does not zero them — the original bytes persist on disk until overwritten.
+
+This test checks that at least one Windows 10/11 Endpoint Protection configuration profile exists in Intune with BitLocker settings configured. It inspects `bitLockerEncryptDevice`, `bitLockerSystemDrivePolicy`, and `bitLockerFixedDrivePolicy` via the Graph API.
+
+> **Note:** The Endpoint Protection Graph API does not expose the "encryption type" (full disk vs used space only) setting. That is controlled via the BitLocker CSP (`SystemDrivesEncryptionType` / `FixedDrivesEncryptionType`), configured through Intune **Settings Catalog** or **Disk Encryption** profiles. When BitLocker is detected, the test outputs a warning to verify full disk encryption is enforced.
+
+## How to fix
+
+1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com).
+2. Click **Devices** > **Manage devices** > **Configuration**.
+3. Click **+ Create** > **New policy**.
+4. Set **Platform** to **Windows 10 and later**.
+5. Set **Profile type** to **Templates** > **Endpoint protection**.
+6. Under **Windows Encryption**, configure:
+   - **Encrypt devices**: **Require**
+   - **BitLocker OS drive settings**: Enable, set **Encryption method** to **XTS-AES 256-bit**
+   - **BitLocker fixed drive settings**: Enable, set **Encryption method** to **XTS-AES 256-bit**
+7. **Additionally**, create a **Settings Catalog** or **Disk Encryption** profile to set:
+   - **Enforce drive encryption type on operating system drives**: **Full encryption**
+   - **Enforce drive encryption type on fixed data drives**: **Full encryption**
+8. Assign both profiles to your device groups.
+
+## Learn more
+
+- [Microsoft Intune - Device Configuration](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/configuration)
+- [Microsoft Learn - Encrypt devices with BitLocker in Intune](https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices)
+- [Microsoft Learn - BitLocker settings reference](https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#windows-settings)