Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Apr 06, 2023

Bitlocker logic workflow by Intune

Hi,

I'm analyzing here some issues with our Bitlocker implementation and recovery keys. We've found some devices that don't have recovery keys.

While doing this analysis, I have one thing which is not yet clear to me. Intune owns the bitlocker policy (which in our case is for All Users), and applies the policy to the user+machine.

When the device storage device is encrypted, where is the keys stored? Within Intune or within Azure AD? Where does it should go first? So I can then analyze the first place where it should be.

Thanks

 

    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor

      rahuljindal-MVP 

      Hi, thanks for the notes and links.
      I have set the options to escrow the keys in AAD and also on AD. Also the policy is set to all devices. But I've got several issues. 

      First, some devices are in Intune, but do not appear on the Bitlocker policy device status area, and of course do not have the keys in AAD, which means that they are not getting the policy in first place.
      Second, some devices get the policy, because they are encrypted, but do not store the keys in AAD.

       

      So how can I troubleshoot this cases and understand what is really happening, so we can find a way to fix it globally?

      Thanks

      • rahuljindal-MVP's avatar
        rahuljindal-MVP
        Bronze Contributor
        "First, some devices are in Intune, but do not appear on the Bitlocker policy device status area, and of course do not have the keys in AAD, which means that they are not getting the policy in first place." - Have you check the devices if they are indeed not receiving the policies? I normally start with Intune health and then move on to eventvwr for BitLocker specific policies.

        "Second, some devices get the policy, because they are encrypted, but do not store the keys in AAD." - If the drive is already encrypted then the key will not be escrowed again. You will have to push a PS script to backup the key in AAD.

Resources