As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe.  You can store those keys either in on-premises Active Directory or in the cloud with Azure AD.

The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is already Azure AD or Hybrid Azure AD Joined.  You can then retrieve the recovery keys from the Azure AD portal or Microsoft Endpoint Manager (which really just takes you back to Azure AD’s properties for the device).

If you are going through any of the following scenarios, you, therefore, won’t have keys automatically uploaded and stored in Azure AD.

  • Introducing Hybrid Azure AD Join to an existing fleet and you want to store recovery keys in Azure AD
  • Third-party software “brokering” BitLocker encryption and storing recovery keys in itself (e.g. Sophos Central)
  • The device has manually or otherwise encrypted by BitLocker prior to Azure AD or Hybrid Azure AD Join

The ideal way to resolve and get those keys in Azure AD is using the PowerShell cmdlet BackupToAAD-BitLockerKeyProtector, which does what it says on the tin.  The even better way is to do this for your entire encrypted estate by deploying a script with using Intune.

Here’s how in three steps.

1. The script I recommend is available here, but make sure you remove the -WhatIf parameter when you deploy to production.  Save this as a PowerShell .ps1 script file.

2. Navigate to Microsoft Endpoint Manager Admin Centre > Devices > Windows > PowerShell Scripts and choose + Add.

3. Choose to run the script as SYSTEM then assign it to the devices for which you need to save the recovery key.

Intune executes PowerShell scripts using an agent on Windows 10 – the Intune Management Extension (IME).  This means for devices newly enrolling into Intune, if you have scoped this to them at the time of enrolment, the script will execute via the IME soon after enrolment.  For existing devices, the script will run at next check-in or whenever the IME service restarts (e.g. a reboot).  After the script runs successfully, the recovery key will be available in Azure AD almost immediately after in my experience.

2 Comments

  1. Tim

    Hi Ruairidh,

    Slightly off topic, but are you aware of any method to have the Bitlocker recovery key backed up to on-prem AD as well as AAD?

    My scenario is that I’m Autopiloting devices using both user driven and whiteglove options with a hybrid join occurring over VPN. I have no group policy being enforced on-prem for Bitlocker, however I do have a configuration profile template enabling bitlocker during enrollment.

    This produces two completely different behaviors:

    1. If an Autopilot device is setup in user driven mode, the key is escrow’d to on-prem AD and never makes it to AAD.

    2. If an Autopilot device is setup in white glove mode, the key is escrow’d to AAD and does not reach on-prem AD.

    Any obvious items I could be missing?

    Thanks

    • Hey Tim. Great question. Top of my head, I can’t think of anything but let me put the thinking cap on and see if there’s a solution. I’ll get a blog written up on what I find and update you.

Comments are closed