question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked CiciWu2-MSFT commented

Enable BitLocker (TpmPIN) and store recovery key in ADDS using PS script executed during Autopilot (Hybrid Azure AD join)

Hi, is it doable to execute PS script which enables BitLocker (TpmPIN) and stores recovery key in ADDS during Autopilot (Hybrid Azure AD join)? If so what needs to be done? Asking this because natively Autopilot at the moment is not natively capable of silently encrypting OS drive with PIN. Ideally I would like to store recovery key in both ADDS and AAD if that is even possible using PS script.

If there is some MS supported way of encrypting BitLocker (TpmPIN) and store recovery key in both AD on-prem and Azure AD during Autopilot (Hybrid Azure AD join scenario) that would be awesome.

Thank you in advance.

mem-autopilot
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered

We have met similar issue before that end users have also provide a feedback in Intune UserVoice. You can try the PS script as mentioned and see if it persists.


 $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
 $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
    
 Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
 BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID


Here is the UserVoice link: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34015732-bitlocker-recovery-keys-in-a-hybrid-aad-joined-dev


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered CiciWu2-MSFT commented

What about encrypting drive during autopilot using something like:

$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

and adding code you posted in the same script? If am not mistaken script must be packaged as Win32 app and deployed during autopilot?

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CiciWu2-MSFT avatar image CiciWu2-MSFT ·

It seems that the command is provisioned with a Powershell script and deployed via Intune. Generally speaking, the BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the $env:SystemDrive to AD DS. Refer: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-


0 Votes 0 ·
CiciWu2-MSFT avatar image CiciWu2-MSFT CiciWu2-MSFT ·

I am just writing to see if there is any update for this issue. Please feel free to reply to me if there is any update.

0 Votes 0 ·