question

JonMercer-8382 avatar image
0 Votes"
JonMercer-8382 asked Jason-MSFT commented

Missing Bitlocker Recovery Keys in AAD/InTune

After migrating to Azure AD Hybrid, all the BitLocker recovery keys that were stored in AD were removed, and not migrated to AAD or InTune. They are all Windows 10 Business systems with 21H2 installed.

I can manually go into BitLocker, and tell it to run a backup of the BL recovery key to Azure, but 99% of our employees do not have admin rights on their system, which this process requires, and I am not going to go through and do this one at a time, since there is a lot of them.

I have InTune policy setup to silently push BL to new systems, though it is still in testing.

To ask, if I enable this for all users, will it affect the servers at all? I am presuming not, since they are not Azure AD joined, but still on-prem, but want to verify. Needing to go through these slowly because some are older. Wondering if I push the policy to everyone if it would see they are already Bitlockered, and copy over the recovery key to Azure.

Outside of this, is there a way to tell Azure or Intune to query all the computers, and record their recovery keys? I found a couple articles about this, but they all said to just run the utility to backup the Bitlocker recovery key in Windows.

mem-intune-generalmem-intune-application-management
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Intune can't manage servers.

BitLocker recovery passwords are only saved to AD and AAD at the time they are set (or reset). Thus, you must either rotate them (which can be done using Intune) or send a script to them to force them to save their keys to AAD. I generally prefer using the script as rotating the key for this purpose seems overkill to me. If you search the web for "BackupToAAD-BitLockerKeyProtector", which is the PowerShell cmdlet that does the heavy lifting here, you'll find lots of example scripts that do this with various levels or robustness, troubleshooting, and logging.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered Jason-MSFT commented
· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonMercer-8382 avatar image JonMercer-8382 ·

Thanks, I am giving what you recommended in your blog a go, and will see how it goes in the test environment. Just for your info, someone left a question in that blog early February.

0 Votes 0 ·
RahulJindal-2267 avatar image RahulJindal-2267 JonMercer-8382 ·

Thanks. I didn't get a notification on the comment. Replied now.

0 Votes 0 ·
KeithFountainITVETLimited-4790 avatar image KeithFountainITVETLimited-4790 ·

Many thanks for the endpoint script to backup the recovery key, deployed it yesterday and works exactly as expected which has saved us a lot of work. We have noticed one anomaly though, if I log in as a domain user, the script runs and the key appears in EM as expected. If I then log in as a local administrator on the machine, it immediately removes the recovery key from EM. Is this a know and expected behaviour?

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT KeithFountainITVETLimited-4790 ·

By EM, I'm assuming that you mean Endpoint Manager but note that the recovery key is not stored in Intune, it is stored in AAD. I've never heard of or observed this behavior though. Is it a simple local admin login or were there other actions? To me, this would be very bad and if you can reproduce, I suggest you open a support case.

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered JonMercer-8382 commented

Note that the 2203 technical preview (TP) was just released and includes this feature: https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2022/technical-preview-2203. Please test this out if you have the opportunity to do so.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonMercer-8382 avatar image JonMercer-8382 ·

Thanks, that looks like quite the project to setup, especially with the SQL certificate, but in the long run, would make BL easier to deal with.

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT JonMercer-8382 ·

Sorry, please ignore my comment above. While accurate, it really has nothing to do with your question here -- I confused this thread with another.

0 Votes 0 ·
JonMercer-8382 avatar image JonMercer-8382 Jason-MSFT ·

I actually bookmarked it. Hoping it does actually go in to release, along with the mentioned dark mode. I haven't been able to keep up with TP releases as much as I used to.

0 Votes 0 ·