How to manage Bitlocker on a Azure AD Joined Windows 10 Device managed by Intune.

When joining a computer to AAD either manually or by using a provisioning package, Bitlocker will be enabled automatically if your device has the necessary prerequisites. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. So this blog post is both for the end-user and IT-pro I guess.

In this scenario we have configured a Device Compliance Policy in Intune where we require Encryption of data storage on devices and sent the policy to all Mobile Users. Like so…

image

Now, from the user side, they will receive a notification that their device is not compliant with company policy and that Encryption is needed. Click on the notification to start Encryption process.

image

Make sure you do not have any other Device Encryption software installed and click Yes.

image

Make sure that you save the recovery key to your cloud account. You will be notified that the recovery key is saved.

image

image

Choose the new Encryption mode (which is Xts Aes 128)

image

Start encryption and go to a long lunch. Smile This can take some time… But know that you can work as normal alongside the encryption process.

image

Confirm that the encryption process is complete.

image

Now the encryption process is done and your data is secure. But how do we recover the drive in the case where we loose access to it. Well the key is stored in AAD and can be recovered easily by the end-user itself or by an administrator.

To retrieve the recovery key go to the following link and login with your corporate credentials (Work/School-account):
https://account.activedirectory.windowsazure.com/r/#/profile 

Find your computer by name and click on retrieve Bitlocker-keys

image

image

image

You can do the same in Azure Active Directory by going to https://portal.azure.com. Go to Users and Groups and search for the user.

image[64]

image

image

And there you Go. There is no way to automate the Encryption process from Intune. But I hope we at some point will be able to execute PowerShell scripts, where we could automate the process. As far as I know only with Windows 10 1703 as the PowerShell commandlet BackupToAAD-BitLockerKeyProtector which you need to save the recovery key to AAD, is only in 1703 and up. If you want to experiment with PowerShell here is the script I created. It works and it simply does the same as the manual step above.

Stay tuned for more posts.  Smile

And do not forget to leave a comment if you have any questions.

/Marius

About the Author:

Marius A. Skovli
Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management Solutions Extensive experience across Private and Public Sector Passion for Community Driven work, volunteering within Microsoft technology Great belief that sharing experience within fellow peers is key to creating a sustainable society Strong commitment to System Center User Group Norway as co-founder and current leader I am a technology enthusiast working as a consultant for the consultant company CTGlobal. I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. Back in 2005/6 I started working with System Management Server (SMS) 2003 and have been working with Enterprise Client Management ever since, where i today focus on helping customers design and implement solutions based on System Center Configuration Manager and/or Enterprise Mobility Suite from Microsoft. Other parts of my work consists of speaking and presenting at different events and seminars, doing research and blog about solutions I find and products I work with. I truly believe in a strong community where knowledge and know-how is essential. Creating creative arenas where it is possible for peers to spread the word about new technologies and solutions is key and as an act on this I co-founded System Center User Group Norway (www.scug.no). SCUG is an initiative where we discuss, preach and present new technologies and solutions in the System Center Space from Microsoft. This is a free arena for everybody to join that is interested in/or enthusiastic about Microsoft Cloud Platform (Enterprise Client Management or Cloud and Datacenter). Specialties: System Center Configuration Manager (SCCM2007-SCCM2012), Enterprise Mobility and Intune, Windows and Windows server deployment.

4 Comments

  1. Tobi April 26, 2017 at 16:39 - Reply

    Nice Posting and nice cmdlet!

    For bulk AAD joined devices that are not assigned to a specific user it also works using the cmdlet “BackupToAAD-BitLockerKeyProtector”. The venet log says successfully backed up. But how can we then access the recovery key? Any ideas?

  2. Mike M. June 29, 2017 at 19:49 - Reply

    Have you found a way to get a recovery key via PowerShell? In your step above (You can do the same in Azure Active Directory by going to https://portal.azure.com. Go to Users and Groups and search for the user), I do see the key, however I can’t copy it and can only view the entire key by hovering over it. I’ve looked through the new Azure AD Powershell Version 2 (https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0), but nothing relating to getting the keys is listed.

  3. URL September 6, 2017 at 10:08 - Reply

    … [Trackback]

    […] Find More Informations here: blog.ctglobalservices.com/windows-client/mas/how-to-manage-bitlocker-on-a-azure-ad-joined-windows-10-device-managed-by-intune/ […]

  4. uday September 15, 2017 at 2:19 - Reply

    I have done the bitlocker encryption policy and successfully pushed the policy on Windows 10 machines.however, I would like to know when will the recovery key updatedin the azure portal or is there any specificsetting to be made to set the recoverypath for the key ?

    Thanks,
    Uday

Leave A Comment