How to force escrowing of BitLocker recovery keys using Intune
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD.
As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so.
try{
$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive
$KPID=""
foreach($KP in $BitlockerVol.KeyProtector){
if($KP.KeyProtectorType -eq "RecoveryPassword"){
$KPID=$KP.KeyProtectorId
break;
}
}
$output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID
return $true
}
catch{
return $false
}
$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive
$KPID=""
foreach($KP in $BitlockerVol.KeyProtector){
if($KP.KeyProtectorType -eq "RecoveryPassword"){
$KPID=$KP.KeyProtectorId
break;
}
}
$output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID
return $true
}
catch{
return $false
}
To set this up in Intune, follow the steps below.
1. Sign-in to the Microsoft Endpoint Manager admin center portal.
2. Browse to Devices – Windows – PowerShell Scripts
3. Click on Add
4. Give a Name
5. Select the script
6. Set Run this script using the logged on credentials as No
7. Set Enforce script signature check to No
8. Set Run script in 64 bit PowerShell Host as Yes
9. Deploy to the user\device based group.
Once the script executes, the devices should escrow the recovery key to AAD almost immediately. You can check under Devices->Windows->Recovery Keys
Or AAD->Devices
Or head over to Graph Explorer – Microsoft Graph and pull the details on the recovery keys and devices ids using https://graph.microsoft.com/beta/bitlocker/recoveryKeys.
Hi, thank you for your post, i have a problem using the BackupToAAD-BitLockerKeyProtector command, it says access denied, but I'm using a local admin and domain administrator account. When i use ADD-Bitlockerkeyprotector or Backup-Bitlockerkeyprotector or manage-bde -protectors -adbackup i don't have any problem.
ReplyDeleteI'm testing this in an Azure Hybrid Computer, recovery keys are being safe without any problem to the local ad domain but i need to backup them to azure ad.
Also in case you respond, i configured the bitlocker policy so standard users can enable bitlocker, so it shouldnt ask for special permissions.
DeleteWhat version of Windows 10 are you on? Also, are you running the script with user credentials or system?
DeleteI like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
ReplyDeleteVery interesting blog.
recover-keys-enterprise Crack
this script doesnt work :/
ReplyDeleteAny errors?
Delete
ReplyDeleteAmazing blog! I really like the way you explained such information about this post with us. And blog is really helpful for us this website
recover-keys-enterprise-crack
I am planning to deploy this script to All Devices group, question is when the script will execute on the machine how it will know for which device ID recovery key to store in AAD ? In the script I dint find any syntax of reading machine hostname or device object ID ? Will your script map the correct recovery key to correct device? (I havent tested it manually yet)
ReplyDeleteThe script will run locally on each device and backup the keys in AAD automatically. There is no need to provided device object or name explicitly.
DeleteHow do we get to know in Intune whether script is executed or not. i have assigned for a device group & monitoring in Intune, nothing shows up
ReplyDeleteThe script will attempt to retry for 3 times every hour before giving up. How long have you waited? Have you checked on the client side in the Intune extension log?
DeleteHow can we also backup the key (s) for a partitioned drive D:\
ReplyDeletereplace: $env:SystemDrive with D:\
Deleteif u r using a configuration manager environment, how do u force the client to update the cm db?
ReplyDeleteThen the policies will not be driven through Intune. You will need to check why the policy from ConfigMgr did not result in escrowing the keys in the site db.
DeleteFollowed these instructions. Applied to a device, waited an hour for processing and it is still not processing. Has something changed? a new Intune setting? I manually ran the script on another laptop and it worked.
ReplyDeleteWhich part is not working? The script execution on the device through Intune policy or the policy itself? I normally check the Intune logs and event viewer.
DeleteThe script worked perfectly, thanks!
ReplyDeleteGlad to know. Thanks.
Deletethis is known issue of windows 11
ReplyDeletein which format the script be? i cant locate my script after saving it
ReplyDeleteThis solution did it for me: https://blog.mindcore.dk/2023/11/how-to-migrate-bitlocker-keys-from-all-fixed-drives-to-microsoft-entra-id/
ReplyDeleteFixed all my bitlocker AAD Intune issues.
Yes, another great solution covered by the author of blog post you shared. There have been many approaches posted in the technical community since 2021 when I last posted my experience.
DeleteGood Work.Keep it Up.
ReplyDeleteCorel AfterShot Crack
Directory Monitor Pro Crack
CyberLink AudioDirector Ultra Crack