Forum Discussion
drivesafely
Dec 02, 2024Brass Contributor
Bitlocker Recovery Key Sync Issue in Intune
Hello All,
We’ve configured Bitlocker settings in Intune using a device configuration profile in a hybrid environment. While it was previously working fine, for the past two weeks, devices assigned to the Bitlocker policy are encrypting successfully, but the recovery keys are not syncing to Intune/Entra.
Below are the relevant event logs from the affected devices:
- Event ID: 846
- Failed to backup Bitlocker Drive Encryption recovery information for volume C: to your Azure AD.
- TraceId: (xxxx)
- Error: JSON value not found.
- Event ID: 875
- Server reported a failure while attempting to retrieve recovery password information from AAD.
- Error: Unknown HResult Error code: 0x80190000
- HTTP Status Code: 0
- RetryRequest: false
- DidSetRetryHint: false
- RetryHintSeconds: 0
- Event ID: 868
- Failed while attempting to get Bitlocker Drive Encryption recovery information from Azure AD.
- Error Code: Unauthorized (401)
If anyone has encountered similar issues, your guidance on troubleshooting would be greatly appreciated.
Thanks,
- Lee_BurridgeCopper Contributor
If you are only concerned about the OS Drive this will work :
#Get the BitLocker volume object for the C: drive
$BLV = Get-BitLockerVolume -MountPoint C:
#Backup the recovery password protector to Azure Active Directory
BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
- Kiwi235Copper Contributor
Hi, have either of you guys found a solution to this? I have the same issue
- iu360Copper Contributor
Hello
I have same issue- Kiwi235Copper Contributor
Hi, have either of you guys found a solution to this? I have the same issue
- AnkidoIron Contributor
try{
$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
$KeyProtectorID=""
foreach($keyProtector in $BLV.KeyProtector){
if($keyProtector.KeyProtectorType -eq "RecoveryPassword"){
$KeyProtectorID=$keyProtector.KeyProtectorId
break;
}
}$result = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KeyProtectorID -whatif
return $true
}
catch{What the script does:
- Retrieves BitLocker volume information:$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
- This command retrieves details about the BitLocker protection on the system drive (usually C:).
- Iterates through key protectors:foreach($keyProtector in $BLV.KeyProtector){ if($keyProtector.KeyProtectorType -eq "RecoveryPassword"){ $KeyProtectorID=$keyProtector.KeyProtectorId break; } }
- Loops through all key protectors associated with the volume.
- If the key protector type is RecoveryPassword (a BitLocker recovery key), it saves its KeyProtectorId.
- Backs up the recovery key to Entra (simulated):$result = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KeyProtectorID -whatif
- BackupToAAD-BitLockerKeyProtector: A command used to back up a BitLocker recovery key to Azure Active Directory.
- -whatif: A simulation parameter that prevents the command from making any actual changes, showing only what would happen.
- Returns success status:return $true
- If no errors occur, the script returns true.
- Handles errors:catch{
- Any errors that occur during execution are caught here (though error-handling code is missing in the snippet provided).
Summary:
The script:
- Identifies the recovery key for the BitLocker-protected system volume.
- Simulates backing up the recovery key to Azure Active Directory (due to the -whatif parameter).
- Returns true if the process succeeds or handles errors in the catch block.
Note: The script does not actually back up the key because the -whatif parameter is used. To perform the actual backup, you would need to remove -whatif.
- Retrieves BitLocker volume information:$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive