Forum Discussion

drivesafely's avatar
drivesafely
Brass Contributor
Dec 02, 2024

Bitlocker Recovery Key Sync Issue in Intune

Hello All,  

We’ve configured Bitlocker settings in Intune using a device configuration profile in a hybrid environment. While it was previously working fine, for the past two weeks, devices assigned to the Bitlocker policy are encrypting successfully, but the recovery keys are not syncing to Intune/Entra.  

Below are the relevant event logs from the affected devices:  

- Event ID: 846
- Failed to backup Bitlocker Drive Encryption recovery information for volume C: to your Azure AD.
- TraceId: (xxxx)
- Error: JSON value not found.

- Event ID: 875
- Server reported a failure while attempting to retrieve recovery password information from AAD.
- Error: Unknown HResult Error code: 0x80190000
- HTTP Status Code: 0
- RetryRequest: false
- DidSetRetryHint: false
- RetryHintSeconds: 0

- Event ID: 868
- Failed while attempting to get Bitlocker Drive Encryption recovery information from Azure AD.
- Error Code: Unauthorized (401)

If anyone has encountered similar issues, your guidance on troubleshooting would be greatly appreciated.

Thanks,  

  • Lee_Burridge's avatar
    Lee_Burridge
    Copper Contributor

    If you are only concerned about the OS Drive this will work :

    #Get the BitLocker volume object for the C: drive

    $BLV = Get-BitLockerVolume -MountPoint C:

     

    #Backup the recovery password protector to Azure Active Directory

    BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

  • Kiwi235's avatar
    Kiwi235
    Copper Contributor

    Hi, have either of you guys found a solution to this? I have the same issue

    • Kiwi235's avatar
      Kiwi235
      Copper Contributor

      Hi, have either of you guys found a solution to this? I have the same issue

  • Ankido's avatar
    Ankido
    Iron Contributor

    try{
    $BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
            $KeyProtectorID=""
            foreach($keyProtector in $BLV.KeyProtector){
                if($keyProtector.KeyProtectorType -eq "RecoveryPassword"){
                    $KeyProtectorID=$keyProtector.KeyProtectorId
                    break;
                }
            }

    $result = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KeyProtectorID -whatif
    return $true
    }
    catch{

    What the script does:

    1. Retrieves BitLocker volume information:$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
      • This command retrieves details about the BitLocker protection on the system drive (usually C:).
    2. Iterates through key protectors:foreach($keyProtector in $BLV.KeyProtector){ if($keyProtector.KeyProtectorType -eq "RecoveryPassword"){ $KeyProtectorID=$keyProtector.KeyProtectorId break; } }
      • Loops through all key protectors associated with the volume.
      • If the key protector type is RecoveryPassword (a BitLocker recovery key), it saves its KeyProtectorId.
    3. Backs up the recovery key to Entra (simulated):$result = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KeyProtectorID -whatif
      • BackupToAAD-BitLockerKeyProtector: A command used to back up a BitLocker recovery key to Azure Active Directory.
      • -whatif: A simulation parameter that prevents the command from making any actual changes, showing only what would happen.
    4. Returns success status:return $true
      • If no errors occur, the script returns true.
    5. Handles errors:catch{
      • Any errors that occur during execution are caught here (though error-handling code is missing in the snippet provided).

    Summary:

    The script:

    • Identifies the recovery key for the BitLocker-protected system volume.
    • Simulates backing up the recovery key to Azure Active Directory (due to the -whatif parameter).
    • Returns true if the process succeeds or handles errors in the catch block.

    Note: The script does not actually back up the key because the -whatif parameter is used. To perform the actual backup, you would need to remove -whatif.

Resources