How to force escrowing of BitLocker recovery keys using Intune

Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD.

As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so.

try{
$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive
        $KPID=""
        foreach($KP in $BitlockerVol.KeyProtector){
            if($KP.KeyProtectorType -eq "RecoveryPassword"){
                $KPID=$KP.KeyProtectorId
                break;
            }
        }
       $output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID
return $true
}
catch{
     return $false
}

To set this up in Intune, follow the steps below.

1. Sign-in to the Microsoft Endpoint Manager admin center portal. 
2. Browse to Devices – Windows – PowerShell Scripts
3. Click on Add
4. Give a Name
5. Select the script
6. Set Run this script using the logged on credentials as No
7. Set Enforce script signature check to No
8. Set Run script in 64 bit PowerShell Host as Yes
9. Deploy to the user\device based group.

Once the script executes, the devices should escrow the recovery key to AAD almost immediately. You can check under Devices->Windows->Recovery Keys


Or AAD->Devices


Or head over to Graph Explorer – Microsoft Graph and pull the details on the recovery keys and devices ids using https://graph.microsoft.com/beta/bitlocker/recoveryKeys.


References


Comments

  1. Hi, thank you for your post, i have a problem using the BackupToAAD-BitLockerKeyProtector command, it says access denied, but I'm using a local admin and domain administrator account. When i use ADD-Bitlockerkeyprotector or Backup-Bitlockerkeyprotector or manage-bde -protectors -adbackup i don't have any problem.

    I'm testing this in an Azure Hybrid Computer, recovery keys are being safe without any problem to the local ad domain but i need to backup them to azure ad.

    ReplyDelete
    Replies
    1. Also in case you respond, i configured the bitlocker policy so standard users can enable bitlocker, so it shouldnt ask for special permissions.

      Delete
    2. What version of Windows 10 are you on? Also, are you running the script with user credentials or system?

      Delete
  2. I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
    Very interesting blog.
    recover-keys-enterprise Crack

    ReplyDelete
  3. this script doesnt work :/

    ReplyDelete



  4. Amazing blog! I really like the way you explained such information about this post with us. And blog is really helpful for us this website
    recover-keys-enterprise-crack

    ReplyDelete
  5. I am planning to deploy this script to All Devices group, question is when the script will execute on the machine how it will know for which device ID recovery key to store in AAD ? In the script I dint find any syntax of reading machine hostname or device object ID ? Will your script map the correct recovery key to correct device? (I havent tested it manually yet)

    ReplyDelete
    Replies
    1. The script will run locally on each device and backup the keys in AAD automatically. There is no need to provided device object or name explicitly.

      Delete
  6. How do we get to know in Intune whether script is executed or not. i have assigned for a device group & monitoring in Intune, nothing shows up

    ReplyDelete
    Replies
    1. The script will attempt to retry for 3 times every hour before giving up. How long have you waited? Have you checked on the client side in the Intune extension log?

      Delete
  7. How can we also backup the key (s) for a partitioned drive D:\

    ReplyDelete
    Replies
    1. replace: $env:SystemDrive with D:\

      Delete
  8. if u r using a configuration manager environment, how do u force the client to update the cm db?

    ReplyDelete
    Replies
    1. Then the policies will not be driven through Intune. You will need to check why the policy from ConfigMgr did not result in escrowing the keys in the site db.

      Delete
  9. Followed these instructions. Applied to a device, waited an hour for processing and it is still not processing. Has something changed? a new Intune setting? I manually ran the script on another laptop and it worked.

    ReplyDelete
    Replies
    1. Which part is not working? The script execution on the device through Intune policy or the policy itself? I normally check the Intune logs and event viewer.

      Delete
  10. The script worked perfectly, thanks!

    ReplyDelete
  11. this is known issue of windows 11

    ReplyDelete
  12. in which format the script be? i cant locate my script after saving it

    ReplyDelete
  13. This solution did it for me: https://blog.mindcore.dk/2023/11/how-to-migrate-bitlocker-keys-from-all-fixed-drives-to-microsoft-entra-id/

    Fixed all my bitlocker AAD Intune issues.

    ReplyDelete
    Replies
    1. Yes, another great solution covered by the author of blog post you shared. There have been many approaches posted in the technical community since 2021 when I last posted my experience.

      Delete
  14. You script worked awesome Thank you very much

    ReplyDelete
  15. Worked well. Thank you!

    ReplyDelete
  16. I was able to run the script successfully but could not find the key under windows device.

    ReplyDelete
  17. Question, If I encrypt C and D drive with ps1 do I need to use this script after encrypting each drive.

    ReplyDelete
  18. Amazing brother. What a simple and effective solution. Thank you so much and keep up the good work. Greets from switzerland

    ReplyDelete
  19. After reading a few of the blog pieces on your website, we sincerely love the way you written.
    windows8ny.net Please visit my website and share your thoughts with us.

    Corel AfterShot Crack

    ReplyDelete
  20. It worked, fast and simple. Thank you.

    ReplyDelete
  21. Hello Rahul,

    Will this script run automatically on the device ? I set it to run this script using logged on credentials ?

    ReplyDelete
    Replies
    1. Haven’t tested it with user credentials to be honest, but in my opinion it should be allowed to run in system context.

      Delete

Post a Comment

Popular posts from this blog

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users