none
Manage Bitlocker with Intune and migrate to Azure AD RRS feed

  • Question

  • Hi,
    I have a question about BitLocker and AAD/Intune. We are migrating our computers from OnPrem AD to Azure AD. All computes are encrypted with BitLocker and the recovery key is stored in Active Directory OnPrem for every user.
    What is the recommended way to handle BitLocker when I disconnect the computer from the OnPrem AD and Join Azure AD. Do I need to decrypt the computer first and then encrypt it again after it is joined Azure AD. Can this be done with Intune?

    I have tested it for one computer and setup an Intune configuration profile to encrypt the drive and add the key to Azure, but I get an error with no explanation why it's not working.

    If the computer doesn't have BitLocker before I join Azure AD it is working.

    Thanks for any suggestions
    Thursday, May 16, 2019 9:02 AM

All replies

  • Hi Boffen,

    You can use the Backup-BitLockerKeyProtector to migrate BitLocker recovery key to Azure AD, here is the script that might work:

    <#
    This script gets the recovery protector from the OS Drive that with type Recovery Password then
    pushes the recovery password associated with that protector to Azure AD as associated with the
    OS Drive.
    #>
    
    #Narrow scope to applicable recovery protector
    $AllProtectors = (Get-BitlockerVolume -MountPoint $env:SystemDrive).KeyProtector 
    $RecoveryProtector = ($AllProtectors | where-object { $_.KeyProtectorType -eq "RecoveryPassword" })
    
    #Push Recovery Passoword AAD
    BackupToAAD-BitLockerKeyProtector $env:systemdrive -KeyProtectorId $RecoveryProtector.KeyProtectorID

    or

    $BLV = Get-BitLockerVolume -MountPoint C: | Select-Object -ExpandProperty KeyProtector | Where-Object KeyProtectorType -eq 'RecoveryPassword'
    # In case there is no Recovery Password, lets create new one
    if (!$BLV)
    	{
    	Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
    	$BLV = Get-BitLockerVolume -MountPoint C: | Select-Object -ExpandProperty KeyProtector | Where-Object KeyProtectorType -eq 'RecoveryPassword'
    	}
    # In case there are multiple recovery passwords, lets copy them all just to make it sure. 
    for ($i=0; $i -le $BLV.Count; $i++){
    		if ($BLV[$i]){
    		BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtectorId[$i]
    	}
    	
    }

    Reference: https://docs.microsoft.com/en-us/powershell/module/bitlocker/backup-bitlockerkeyprotector?view=win10-ps

    Also, I found one ticket that had the similar issue and resolved by these script. Just for your reference: https://social.technet.microsoft.com/Forums/en-US/22c95a67-1ec5-4874-9140-c5facd29cfd8/register-bitlocker-recovery-key-to-azure-ad?forum=microsoftintuneprod

    Best regards,

    Cici


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 16, 2019 10:34 AM
  • > Do I need to decrypt the computer first and then encrypt it again after it is joined Azure AD.

    No, not at all. What's stored in AD is simply the key to unlock BitLocker and has nothing to do with whether BitLocker will work or not. All you really need to do here is store the key in AzureAD (which the scripts provided by CiCi will do) because it won't happen automatically. This part has nothing to do with Intune although you can certainly push these scripts out using Intune.

    Note also that you need to create a policy in Intune to configure and enforce your desired BitLocker settings since your group policies will no longer be able to do this.

    > but I get an error with no explanation why it's not working.

    Without knowing what error and where you are getting it, we can't even begin to guess.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, May 16, 2019 4:16 PM