Forum Discussion
Bitlocker logic workflow by Intune
Hi, I'm analyzing here some issues with our Bitlocker implementation and recovery keys. We've found some devices that don't have recovery keys. While doing this analysis, I have one thing which is ...
Intune is only the policy provider. Depending on your BitLocker configuration policies, the keys will be escrowed in AAD. If some devices are not escrowing it, then you can run a script to have the keys escrowed.
https://rahuljindalmyit.blogspot.com/2021/06/how-to-force-escrowing-of-bitlocker.html
Hi, thanks for the notes and links.
I have set the options to escrow the keys in AAD and also on AD. Also the policy is set to all devices. But I've got several issues.First, some devices are in Intune, but do not appear on the Bitlocker policy device status area, and of course do not have the keys in AAD, which means that they are not getting the policy in first place.
Second, some devices get the policy, because they are encrypted, but do not store the keys in AAD.So how can I troubleshoot this cases and understand what is really happening, so we can find a way to fix it globally?
Thanks- "First, some devices are in Intune, but do not appear on the Bitlocker policy device status area, and of course do not have the keys in AAD, which means that they are not getting the policy in first place." - Have you check the devices if they are indeed not receiving the policies? I normally start with Intune health and then move on to eventvwr for BitLocker specific policies.
"Second, some devices get the policy, because they are encrypted, but do not store the keys in AAD." - If the drive is already encrypted then the key will not be escrowed again. You will have to push a PS script to backup the key in AAD.- Ok, I'll take a look at both cases and push some news soon. Thanks
