Forum Discussion

drivesafely's avatar
drivesafely
Iron Contributor
Dec 02, 2024

Bitlocker Recovery Key Sync Issue in Intune

Hello All,   We’ve configured Bitlocker settings in Intune using a device configuration profile in a hybrid environment. While it was previously working fine, for the past two weeks, devices assigne...
BitLocker
Intune
Ankido's avatar
Ankido
Iron Contributor
Dec 02, 2024

try{
$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
        $KeyProtectorID=""
        foreach($keyProtector in $BLV.KeyProtector){
            if($keyProtector.KeyProtectorType -eq "RecoveryPassword"){
                $KeyProtectorID=$keyProtector.KeyProtectorId
                break;
            }
        }

$result = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KeyProtectorID -whatif
return $true
}
catch{

What the script does:

  1. Retrieves BitLocker volume information:$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
    • This command retrieves details about the BitLocker protection on the system drive (usually C:).
  2. Iterates through key protectors:foreach($keyProtector in $BLV.KeyProtector){ if($keyProtector.KeyProtectorType -eq "RecoveryPassword"){ $KeyProtectorID=$keyProtector.KeyProtectorId break; } }
    • Loops through all key protectors associated with the volume.
    • If the key protector type is RecoveryPassword (a BitLocker recovery key), it saves its KeyProtectorId.
  3. Backs up the recovery key to Entra (simulated):$result = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KeyProtectorID -whatif
    • BackupToAAD-BitLockerKeyProtector: A command used to back up a BitLocker recovery key to Azure Active Directory.
    • -whatif: A simulation parameter that prevents the command from making any actual changes, showing only what would happen.
  4. Returns success status:return $true
    • If no errors occur, the script returns true.
  5. Handles errors:catch{
    • Any errors that occur during execution are caught here (though error-handling code is missing in the snippet provided).

Summary:

The script:

  • Identifies the recovery key for the BitLocker-protected system volume.
  • Simulates backing up the recovery key to Azure Active Directory (due to the -whatif parameter).
  • Returns true if the process succeeds or handles errors in the catch block.

Note: The script does not actually back up the key because the -whatif parameter is used. To perform the actual backup, you would need to remove -whatif.

Resources