question

JADR921-kt avatar image
0 Votes"
JADR921-kt asked BruceFincham-5216 commented

Backup BitLocker Keys to Azure AD

Is it possible to backup BitLocker recovery keys to Azure AD without an elevated privilege? Because right now, we have several devices that do not have recovery keys uploaded.

There is a Powershell script to upload this but it still requires to run as administrator. I want to deploy a script to a group of devices. I don't want to go to each one and backup their recovery keys manually.

mem-intune-enrollment
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BruceFincham-5216 avatar image BruceFincham-5216 ·

I had a similar problem. We are using Intune and the recovery keys would not get uploaded. In my scenario I had more than one account registered under the Accounts section I think AD did not know which one to back up to. Once I removed one the backup of the recovery key to AD worked

0 Votes 0 ·

2 Answers

pvanberlo avatar image
0 Votes"
pvanberlo answered Reinout commented

Uploading the recovery keys is done as part of having the device (Hybrid) Azure AD Joined and managed in Microsoft Endpoint Manager (Intune), and should not require any additional permissions. I found a blog which may contain some more information that could be helpful.


· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JADR921-kt avatar image JADR921-kt ·

Thanks. Need help with one step.

How do I "3. Choose to run the script as SYSTEM then assign it to the devices for which you need to save the recovery key."?

0 Votes 0 ·
pvanberlo avatar image pvanberlo JADR921-kt ·

You're basically looking for the highlighted setting below. If this is set to YES - the script will run as the signed in user, if it's set to NO - the script will run under the system context.

138127-image.png


1 Vote 1 ·
image.png (312.7 KiB)
JADR921-kt avatar image JADR921-kt pvanberlo ·

Alright, I did this and status for every device I applied the script to says Succeeded. However, even after a few days waiting, I still don't see BitLocker Recovery Keys uploaded. Did I do something wrong?

0 Votes 0 ·
Show more comments
Reinout avatar image Reinout ·

In my experience the recovery keys are only uploaded to Azure AD if you join the computers via Autopilot or do that before you Bitlocker them. If you already have Bitlockered them and that (manually) add them to Azure AD the recovery keys are not saved to Azure AD.

We created a policy for that.

0 Votes 0 ·
JADR921-kt avatar image JADR921-kt Reinout ·

What's the policy you created to go around this issue?

I have not seen any positive results with the script although it says Succeeded in every devices I added and deployed to.

0 Votes 0 ·
Reinout avatar image Reinout JADR921-kt ·

we use a configuration profile (the endpoint protection template (see also my answer below)

0 Votes 0 ·
Reinout avatar image
0 Votes"
Reinout answered

You can also use the Endpoint protection template for that I think.

Configuration settings > Windows Encryption

138128-image.png



image.png (16.3 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.