none
Register BitLocker recovery key to Azure AD RRS feed

  • Question

  • Hello,

    At a customer we are using devices which are currently added to on-premises AD and will be migrated to Azure AD. So all devices are going to be Azure AD joined (Not hybrid joined).

    In our test situation we already removed some devices from AD and joined them to AAD. All the devices are encrypted with BitLocker and the recovery key was NOT registered to AD. Now we would like to register the BitLocker recovery key in Azure AD so I'm looking for a way to do so without having to disable BitLocker and enable it again.

    I tried to do so with powershell by using the Backup-BitLockerKeyProtector command which gives a success but nothing is showing up in Azure when I check the device.

    Hope someone can help me out.

    Thursday, August 23, 2018 2:45 PM

Answers

  • Not sure how you are using the Backup-BitlockerKeyProtector cmdlet, but below is the code I have used to do this, use at your own risk:

    <#
    This script gets the recovery protector from the OS Drive that with type Recovery Password then
    pushes the recovery password associated with that protector to Azure AD as associated with the
    OS Drive.
    #>
    
    #Narrow scope to applicable recovery protector
    $AllProtectors = (Get-BitlockerVolume -MountPoint $env:SystemDrive).KeyProtector 
    $RecoveryProtector = ($AllProtectors | where-object { $_.KeyProtectorType -eq "RecoveryPassword" })
    
    #Push Recovery Passoword AAD
    BackupToAAD-BitLockerKeyProtector $env:systemdrive -KeyProtectorId $RecoveryProtector.KeyProtectorID


    • Proposed as answer by lyonheart14 Friday, August 24, 2018 12:46 PM
    • Marked as answer by RonaldBe Wednesday, September 12, 2018 8:11 AM
    Thursday, August 23, 2018 3:56 PM

All replies

  • Not sure how you are using the Backup-BitlockerKeyProtector cmdlet, but below is the code I have used to do this, use at your own risk:

    <#
    This script gets the recovery protector from the OS Drive that with type Recovery Password then
    pushes the recovery password associated with that protector to Azure AD as associated with the
    OS Drive.
    #>
    
    #Narrow scope to applicable recovery protector
    $AllProtectors = (Get-BitlockerVolume -MountPoint $env:SystemDrive).KeyProtector 
    $RecoveryProtector = ($AllProtectors | where-object { $_.KeyProtectorType -eq "RecoveryPassword" })
    
    #Push Recovery Passoword AAD
    BackupToAAD-BitLockerKeyProtector $env:systemdrive -KeyProtectorId $RecoveryProtector.KeyProtectorID


    • Proposed as answer by lyonheart14 Friday, August 24, 2018 12:46 PM
    • Marked as answer by RonaldBe Wednesday, September 12, 2018 8:11 AM
    Thursday, August 23, 2018 3:56 PM
  • Thank you for the script. I will give it a try and let you know if this works.
    Friday, August 31, 2018 7:18 AM
  • Heres another version, backing just C: drive recovery password:

    $BLV = Get-BitLockerVolume -MountPoint C: | Select-Object -ExpandProperty KeyProtector | Where-Object KeyProtectorType -eq 'RecoveryPassword'
    # In case there is no Recovery Password, lets create new one
    if (!$BLV)
    	{
    	Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
    	$BLV = Get-BitLockerVolume -MountPoint C: | Select-Object -ExpandProperty KeyProtector | Where-Object KeyProtectorType -eq 'RecoveryPassword'
    	}
    # In case there are multiple recovery passwords, lets copy them all just to make it sure. 
    for ($i=0; $i -le $BLV.Count; $i++){
    		if ($BLV[$i]){
    		BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtectorId[$i]
    	}
    	
    }

    Friday, August 31, 2018 12:33 PM
  • Thank you all, I tried the scripts and it works great.
    Wednesday, September 12, 2018 8:11 AM