Forum Discussion
dmarquesgn
Apr 06, 2023Iron Contributor
Bitlocker logic workflow by Intune
Hi,
I'm analyzing here some issues with our Bitlocker implementation and recovery keys. We've found some devices that don't have recovery keys.
While doing this analysis, I have one thing which is not yet clear to me. Intune owns the bitlocker policy (which in our case is for All Users), and applies the policy to the user+machine.
When the device storage device is encrypted, where is the keys stored? Within Intune or within Azure AD? Where does it should go first? So I can then analyze the first place where it should be.
Thanks
- rahuljindal-MVPBronze Contributor
Intune is only the policy provider. Depending on your BitLocker configuration policies, the keys will be escrowed in AAD. If some devices are not escrowing it, then you can run a script to have the keys escrowed.
https://rahuljindalmyit.blogspot.com/2021/06/how-to-force-escrowing-of-bitlocker.html- dmarquesgnIron Contributor
Hi, thanks for the notes and links.
I have set the options to escrow the keys in AAD and also on AD. Also the policy is set to all devices. But I've got several issues.First, some devices are in Intune, but do not appear on the Bitlocker policy device status area, and of course do not have the keys in AAD, which means that they are not getting the policy in first place.
Second, some devices get the policy, because they are encrypted, but do not store the keys in AAD.So how can I troubleshoot this cases and understand what is really happening, so we can find a way to fix it globally?
Thanks- rahuljindal-MVPBronze Contributor"First, some devices are in Intune, but do not appear on the Bitlocker policy device status area, and of course do not have the keys in AAD, which means that they are not getting the policy in first place." - Have you check the devices if they are indeed not receiving the policies? I normally start with Intune health and then move on to eventvwr for BitLocker specific policies.
"Second, some devices get the policy, because they are encrypted, but do not store the keys in AAD." - If the drive is already encrypted then the key will not be escrowed again. You will have to push a PS script to backup the key in AAD.