Add MT.1123 - BitLocker Full Disk Encryption Check

[OfirGavish]

Pull Request: Add MT.1123 - BitLocker Full Disk Encryption Check

Summary

Adds a new Intune test MT.1123 that verifies at least one Intune Endpoint Security > Disk Encryption policy enforces BitLocker with full disk encryption type for OS drives — not just that BitLocker is configured, but that the encryption type is explicitly set to protect the entire drive.

Motivation

BitLocker Drive Encryption is a critical security control, but the encryption type setting makes all the difference:

• Full disk encryption — encrypts the entire drive including free space. Secure.
• Used space only encryption — only encrypts sectors currently holding data. Dangerous on drives with pre-existing data, because previously deleted files remain as raw unencrypted data in free space. NTFS marks sectors as "free" but does not zero them out — the original bytes persist on disk until overwritten. This means data written to the disk before encryption was enabled can be fully recovered using commonly available data recovery software (Recuva, PhotoRec, forensic imaging tools, etc.).

There is currently no Maester test to verify that BitLocker is configured via Intune, let alone that the encryption type is set correctly. This test fills that gap by:

• Querying the configurationPolicies Graph API (Endpoint Security > Disk Encryption blade)
• Filtering to BitLocker policies via templateReference.templateFamily = "endpointSecurityDiskEncryption"
• Fetching each policy's settings via configurationPolicies('{id}')/settings?$expand=settingDefinitions
• Inspecting the actual BitLocker CSP values: SystemDrivesEncryptionType, FixedDrivesEncryptionType, RequireDeviceEncryption, EncryptionMethodByDriveType
• Directly validating that the OS drive encryption type is set to "Full encryption" (not "Used space only" or "Allow user to choose")
• Reporting all policies and their settings in a markdown table

Graph API Approach

This test uses the configurationPolicies API (the same API used by the Intune admin center's Endpoint Security > Disk Encryption blade), NOT the older deviceConfigurations API. The configurationPolicies API exposes the full BitLocker CSP settings including:

• SystemDrivesEncryptionType — OS drive encryption type (Full / Used Space Only / Allow user to choose)
• FixedDrivesEncryptionType — Fixed drive encryption type
• RequireDeviceEncryption — Whether encryption is required
• EncryptionMethodByDriveType — Cipher strength (XTS-AES 128/256, AES-CBC 128/256)

This eliminates the previous limitation where the older Endpoint Protection API (windows10EndpointProtectionConfiguration) did not expose the encryption type setting.

Files Changed

File	Change
powershell/public/maester/intune/Test-MtBitLockerFullDiskEncryption.ps1	New — PowerShell function
powershell/public/maester/intune/Test-MtBitLockerFullDiskEncryption.md	New — Remediation docs
tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1	Modified — Add MT.1123 test entry
tests/maester-config.json	Modified — Add MT.1123 severity config
website/versioned_docs/version-2.0.0/tests/maester/MT.1123.md	New — Documentation page

Test Details

• ID: MT.1123
• Category: Intune / Device Management
• Severity: High
• Tag: MT.1123, Maester, Intune
• Required permissions: DeviceManagementConfiguration.Read.All
• License: Intune

What the test checks

1. Queries deviceManagement/configurationPolicies via the beta Graph API
2. Filters to BitLocker Disk Encryption policies (templateReference.templateFamily = "endpointSecurityDiskEncryption")
3. For each matching policy, fetches settings via configurationPolicies('{id}')/settings?$expand=settingDefinitions
4. Inspects the BitLocker CSP settings:
   • RequireDeviceEncryption — whether encryption is required
   • SystemDrivesEncryptionType → child dropdown — OS drive encryption type (Full / Used Space Only / Allow user to choose)
   • FixedDrivesEncryptionType → child dropdown — Fixed drive encryption type
   • EncryptionMethodByDriveType → child dropdowns — cipher strength per drive type
5. Passes if at least one policy has OS drive encryption type set to Full encryption
6. Fails if no BitLocker policies exist, or none enforce full encryption type
7. Outputs a markdown table showing all policies and their actual encryption settings

Test output example

Found 1 BitLocker Disk Encryption policy/policies in Intune.

| Policy | Require Encryption | OS Encryption Type | Fixed Encryption Type | OS Cipher |
| --- | --- | --- | --- | --- |
| Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.7 | Enabled | Full encryption | Not configured | XTS-AES 256-bit |

**Result:** At least one BitLocker policy enforces **Full encryption** for OS drives.

Remediation guidance

The test documentation includes step-by-step instructions to:

1. Create a BitLocker policy under Endpoint Security > Disk Encryption
2. Set Enforce drive encryption type on operating system drives to Full encryption
3. Set Enforce drive encryption type on fixed data drives to Full encryption
4. Configure XTS-AES 256-bit cipher strength and silent encryption
5. The docs explain why "Used space only" is dangerous: deleted data remains recoverable from unencrypted free space

Related

• Microsoft Learn - Encrypt devices with BitLocker in Intune
• Microsoft Learn - BitLocker CSP reference
• CIS Microsoft Intune for Windows Benchmark

Checklist

• New PowerShell function follows existing pattern (Get-MtLicenseInformation, Invoke-MtGraphRequest, Add-MtTestResultDetail)
• Comment-based help header inside function body (per Move all comment-based help headers inside function bodies #1568)
• Uses configurationPolicies API (same as Intune admin center Disk Encryption blade)
• Directly validates encryption type via BitLocker CSP settings (no manual verification needed)
• Markdown remediation doc with %TestResult% placeholder
• Test entry in Test-MtIntunePlatform.Tests.ps1 with proper tag
• Config entry in maester-config.json
• FunctionsToExport updated in Maester.psd1
• Website documentation page with frontmatter

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}