Se større billede

How to manage Bitlocker on a Azure AD Joined Windows 10 Device managed by Intune.

When joining a computer to AAD either manually or by using a provisioning package, Bitlocker will be enabled automatically if your device has the necessary prerequisites. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. So this blog post is both for the end-user and IT-pro I guess.

In this scenario we have configured a Device Compliance Policy in Intune where we require Encryption of data storage on devices and sent the policy to all Mobile Users. Like so…

Now, from the user side, they will receive a notification that their device is not compliant with company policy and that Encryption is needed. Click on the notification to start Encryption process.

Make sure you do not have any other Device Encryption software installed and click Yes.

Make sure that you save the recovery key to your cloud account. You will be notified that the recovery key is saved.

Choose the new Encryption mode (which is Xts Aes 128)

Start encryption and go to a long lunch. This can take some time… But know that you can work as normal alongside the encryption process.

Confirm that the encryption process is complete.

Now the encryption process is done and your data is secure. But how do we recover the drive in the case where we loose access to it. Well the key is stored in AAD and can be recovered easily by the end-user itself or by an administrator.

To retrieve the recovery key go to the following link and login with your corporate credentials (Work/School-account):
https://account.activedirectory.windowsazure.com/r/#/profile

Find your computer by name and click on retrieve Bitlocker-keys

You can do the same in Azure Active Directory by going to https://portal.azure.com. Go to Users and Groups and search for the user.

And there you Go. There is no way to automate the Encryption process from Intune. But I hope we at some point will be able to execute PowerShell scripts, where we could automate the process. As far as I know only with Windows 10 1703 as the PowerShell commandlet BackupToAAD-BitLockerKeyProtector which you need to save the recovery key to AAD, is only in 1703 and up. If you want to experiment with PowerShell here is the script I created. It works and it simply does the same as the manual step above.

[sourcecode language='powershell'  padlinenumbers='true']
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
[/sourcecode]

Stay tuned for more posts.

And do not forget to leave a comment if you have any questions.

/Marius

By Marius A. Skovli|2017-11-15T18:57:43+01:00april 25th, 2017|Application Virtualization (App-V), Azure, Configuration Manager (SCCM), Enterprise Mobility Suite (EMS), Office 365, Windows Client|28 Comments

Om forfatteren: Marius A. Skovli

Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management Solutions Extensive experience across Private and Public Sector Passion for Community Driven work, volunteering within Microsoft technology Great belief that sharing experience within fellow peers is key to creating a sustainable society Strong commitment to System Center User Group Norway as co-founder and current leader I am a technology enthusiast working as a consultant for the consultant company CTGlobal. I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. Back in 2005/6 I started working with System Management Server (SMS) 2003 and have been working with Enterprise Client Management ever since, where i today focus on helping customers design and implement solutions based on System Center Configuration Manager and/or Enterprise Mobility Suite from Microsoft. Other parts of my work consists of speaking and presenting at different events and seminars, doing research and blog about solutions I find and products I work with. I truly believe in a strong community where knowledge and know-how is essential. Creating creative arenas where it is possible for peers to spread the word about new technologies and solutions is key and as an act on this I co-founded System Center User Group Norway (www.scug.no). SCUG is an initiative where we discuss, preach and present new technologies and solutions in the System Center Space from Microsoft. This is a free arena for everybody to join that is interested in/or enthusiastic about Microsoft Cloud Platform (Enterprise Client Management or Cloud and Datacenter). Specialties: System Center Configuration Manager (SCCM2007-SCCM2012), Enterprise Mobility and Intune, Windows and Windows server deployment.

28 kommentarer

Tobi april 26, 2017 af 16:39

Nice Posting and nice cmdlet!

For bulk AAD joined devices that are not assigned to a specific user it also works using the cmdlet “BackupToAAD-BitLockerKeyProtector”. The venet log says successfully backed up. But how can we then access the recovery key? Any ideas?
Mike M. juni 29, 2017 af 19:49

Have you found a way to get a recovery key via PowerShell? In your step above (You can do the same in Azure Active Directory by going to https://portal.azure.com. Go to Users and Groups and search for the user), I do see the key, however I can’t copy it and can only view the entire key by hovering over it. I’ve looked through the new Azure AD Powershell Version 2 (https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0), but nothing relating to getting the keys is listed.
URL september 6, 2017 af 10:08

… [Trackback]

[…] Find More Informations here: blog.ctglobalservices.com/windows-client/mas/how-to-manage-bitlocker-on-a-azure-ad-joined-windows-10-device-managed-by-intune/ […]
uday september 15, 2017 af 2:19

I have done the bitlocker encryption policy and successfully pushed the policy on Windows 10 machines.however, I would like to know when will the recovery key updatedin the azure portal or is there any specificsetting to be made to set the recoverypath for the key ?

Thanks,
Uday
- Marius A. Skovli november 15, 2017 af 14:32
  
  The recovery key will be uploaded to AAD computer object when the User starts the encryption process. For allways on-connected-standby devices it will happen when they do the Azure AD Join.
jannik november 15, 2017 af 12:51

I’m also in the need to access the azure ad synced bitlocker key in a programmatic way, but didn’t found any solution yet.
Paul Wetter april 26, 2018 af 20:14

Your solution seems to assume that KeyProtector[1] is the recovery password. This isn’t always the case. I think this would be better:

$BLV = Get-BitLockerVolume -MountPoint “C:” | select *
$BackupPassword = $BLV.KeyProtectors|Where {$_.KeyProtectorType -eq ‘RecoveryPassword’}
BackupToAAD-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BackupPassword.KeyProtectorId
Hugoadmin maj 11, 2018 af 7:21

I have on-premises environment, and machines are sync to Azure AD. Devices(Windows 10 1803) showing up in Azure in two join types, “Azure AD registered” and “Hybrid Azure AD joined”. I as admin see users BitLocker keys when i select device that join type is “Hybrid Azure AD joined”. When I select identical device under join type “Azure AD registered”, BitLocker keys doesn’t showing up and because users are connected to devices through “Azure AD registered” join type they can’t see BitLocker keys in myapps.microsoft.com. Do you have any suggestions how i can display BitLocker keys under “Azure AD registered” devices?
- Peter maj 29, 2018 af 14:15
  
  Lucky you;
  I`m in the same situation, but the second device account only shows MDM MS Intune, no Join type, both no registration date. And no recovery keys are shows at both devices. Even if I have set the BitLocker policy Save BitLocker recovery information to Azure AD as required
Kevin august 23, 2018 af 6:47

Dear Sir/Madam,

Is that possible to export a report for all users in AzureAD that their bitlocker recovery keys have been uploaded to Azure AD or not?

Thanks & Regards,
Kevin
Sergei august 27, 2018 af 17:13

Thanks. Very good article. I would be grateful if you could tell me what I’m doing wrong. Run Your script remotely via Enter-PSSession. This line says “BackupToAAD-BitLockerKeyProtector-Mount Point” C: “- KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId” get “BackupToAAD-BitLockerKeyProtector : Catastrophic failure (Exception from HRESULT: 0x8000FFFF (E_UNEXPECTED))”. Perhaps You have thoughts on this?
- Rob maj 6, 2019 af 16:26
  
  Same here.
Chris august 30, 2018 af 23:48

GOOD JOB!!!!
msdhoni december 12, 2018 af 10:47

Great content useful for all the candidates of Windows Azure Training who want to kick start these career in Windows Azure Training field.
LandMark Hospital marts 1, 2019 af 7:09

Windows is essential for all office devices.
reddy ravindra marts 5, 2019 af 10:41

Great Article. Thanks for sharing info.
Digital Marketing Course in Hyderabad
manisha kalra juli 3, 2019 af 19:35

thanks for such an informative post you have shared
https://www.manishafashion.com/how-to-lose-weight-in-one-month/how-to-lose-weight-in-one-month-manishafashion-com/
anna Rasuna november 10, 2019 af 7:32

Thanks for the information about bitlocker.
Steve McKee september 2, 2020 af 21:58

Is there a way of kicking off encryption using azure and bit locker during the imaging process for a new or reimaged machine instead of waiting for GP to see the machine?
Ken oktober 20, 2020 af 15:25

In Windows Azure Profile it soley says “Workplace Joined” for my users. Before we rolled out Intune we could retrieve the Bitlocker Keys over the portal. Now the only show under devices for admins.
Chandu februar 5, 2021 af 12:25

very nice blogs!!! i have to learning for lot of information for this sites…Sharing for wonderful information. Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing
Divya marts 24, 2021 af 19:30

Thank you for sharing this valuable content.
I love your content it’s very unique.
Aastha Bahl oktober 28, 2021 af 18:04

Thanks for this valuable information about bitlocker.
arnold dk november 12, 2021 af 11:51

I’m also in the need to access the azure ad synced bitlocker key in a programmatic way, but didn’t found any solution yet.
Chandu Chinnu november 23, 2021 af 8:52

First You got a great blog .I will be interested in more similar topics.I commend you for your excellent report on the knowledge that you have shared in this blog.
gbwhatsapp december 18, 2021 af 9:53

Your post is helping me a lot. Its really nice and epic. Thanks a lot for the useful info on this topic. You did it so much well. I love to see more about GBWhatsApp. Keep sharing and updating. Also share more posts with us. Thank you.
ABR Hospital april 12, 2022 af 10:43

Thank for sharing
ABR Neuro Multi Specialty Hospitals Gynaecologist Doctor In Uppala Expert gynaecologist and obstetrician doctors in Uppala, Dr. Himabindu.N is a Gynecologist at ABR Multi-specialty Hospital. She is one of the young and dynamic doctors of Hyderabad.
sreemanju hospital maj 18, 2022 af 8:35

Thanks a lot for the information.

Oncology Hospital in Hyderabad sreemanju hospital has been a leader in providing multispecialty tertiary healthcare across hyderabad, offering world-class, yet cost-effective clinical care, always keeping the patient’s The department has an experienced and efficient panel of doctors specialised in sub-fields of Medical Oncology, Haematology, Radiation Oncology, Specialised Once surgery and Bone Marrow Transplant services. Sreemanju hospital advanced cancer treatment and care using the latest equipment and technology.

Oncology Hospital in Hyderabad