Forum Discussion
Configure Bitlocker via Intune - few questions
Hello,
I would like to start using for enabling silently Bitlocker on company computers via Intune. Will configure it via Endpoint Security > Disk Encryption. I want to configure also backing up the key to MS Entra...
Now, I am wondering how it will affect devices:
- devices that already have bitlocker configured - will it do any mess? or the policy will just skip these devices
- devices that already have bitlocker configured and key is not backed up to MS Entra - will the policy back up the key to MS Entra?
- devices that have bitlocker configured and key is backed up to MS Entra - again... will policy skip these devices?
As you see above, we have 3 scenarios in our company... We do not use any 3rd party disk encryption... only bitlocker... And I just can't find answers on the above....
sumo83
Hi, I have seen all of these scenarios at different customers over time, and I can tell you that the BitLocker policy from Intune will not affect any existing encrypted devices in any way. Unfortunately this also goes for the backed up BitLocker keys in the AD or MBAM. If using MBAM there are more hoops to jump through, but if only in the on-prem AD then you are fine to change the place the keys are stored using a remediation script from Intune.
Make sure that you have the configuration set so that Intune wins out over GPO for conflicting settings in case you still have BitLocker config from a GPO.<# .SYNOPSIS Escrow (Backup) the existing Bitlocker key protectors to Azure AD (Intune) .DESCRIPTION This script will verify the presence of existing recovery keys and have them escrowed (backed up) to Azure AD Great for switching away from MBAM on-prem to using Intune and Azure AD for Bitlocker key management .INPUTS None .NOTES Version : 1.0 Author : Michael Mardahl Twitter : @michael_mardahl Blogging on : www.msendpointmgr.com Creation Date : 11 January 2021 Purpose/Change: Initial script License : MIT (Leave author credits) .EXAMPLE Execute script as system or administrator .\Invoke-EscrowBitlockerToAAD.ps1 .NOTES If there is a policy mismatch, then you might get errors from the built-in cmdlet BackupToAAD-BitLockerKeyProtector. So I have wrapped the cmdlet in a try/catch in order to supress the error. This means that you will have to manually verify that the key was actually escrowed. Check MSEndpointMgr.com for solutions to get reporting stats on this. #> #region declarations $DriveLetter = $env:SystemDrive #endregion declarations #region functions function Test-Bitlocker ($BitlockerDrive) { #Tests the drive for existing Bitlocker keyprotectors try { Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop } catch { # Write-Output "Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!" exit 0 } } function Get-KeyProtectorId ($BitlockerDrive) { #fetches the key protector ID of the drive $BitLockerVolume = Get-BitLockerVolume -MountPoint $BitlockerDrive $KeyProtector = $BitLockerVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } return $KeyProtector.KeyProtectorId } function Invoke-BitlockerEscrow ($BitlockerDrive,$BitlockerKey) { #Escrow the key into Azure AD try { BackupToAAD-BitLockerKeyProtector -MountPoint $BitlockerDrive -KeyProtectorId $BitlockerKey -ErrorAction SilentlyContinue # Write-Output "Attempted to escrow key in Azure AD - Please verify manually!" exit 0 } catch { # Write-Error "This should never have happend? Debug me!" exit 1 } } #endregion functions #region execute Test-Bitlocker -BitlockerDrive $DriveLetter $KeyProtectorId = Get-KeyProtectorId -BitlockerDrive $DriveLetter Invoke-BitlockerEscrow -BitlockerDrive $DriveLetter -BitlockerKey $KeyProtectorId #endregion execute
You could use some form of the following for a detection script. Good luck.$DriveLetter = $env:SystemDrive function Test-Bitlocker ($BitlockerDrive) { #Tests the drive for existing Bitlocker keyprotectors try { Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop } catch { # Write-Output "Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!" exit 0 } } Test-Bitlocker -BitlockerDrive $DriveLetter # Detection success - Run the remediation script to escrow keys to AAD exit 1
sumo83
Hi, I have seen all of these scenarios at different customers over time, and I can tell you that the BitLocker policy from Intune will not affect any existing encrypted devices in any way. Unfortunately this also goes for the backed up BitLocker keys in the AD or MBAM. If using MBAM there are more hoops to jump through, but if only in the on-prem AD then you are fine to change the place the keys are stored using a remediation script from Intune.
Make sure that you have the configuration set so that Intune wins out over GPO for conflicting settings in case you still have BitLocker config from a GPO.<# .SYNOPSIS Escrow (Backup) the existing Bitlocker key protectors to Azure AD (Intune) .DESCRIPTION This script will verify the presence of existing recovery keys and have them escrowed (backed up) to Azure AD Great for switching away from MBAM on-prem to using Intune and Azure AD for Bitlocker key management .INPUTS None .NOTES Version : 1.0 Author : Michael Mardahl Twitter : @michael_mardahl Blogging on : www.msendpointmgr.com Creation Date : 11 January 2021 Purpose/Change: Initial script License : MIT (Leave author credits) .EXAMPLE Execute script as system or administrator .\Invoke-EscrowBitlockerToAAD.ps1 .NOTES If there is a policy mismatch, then you might get errors from the built-in cmdlet BackupToAAD-BitLockerKeyProtector. So I have wrapped the cmdlet in a try/catch in order to supress the error. This means that you will have to manually verify that the key was actually escrowed. Check MSEndpointMgr.com for solutions to get reporting stats on this. #> #region declarations $DriveLetter = $env:SystemDrive #endregion declarations #region functions function Test-Bitlocker ($BitlockerDrive) { #Tests the drive for existing Bitlocker keyprotectors try { Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop } catch { # Write-Output "Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!" exit 0 } } function Get-KeyProtectorId ($BitlockerDrive) { #fetches the key protector ID of the drive $BitLockerVolume = Get-BitLockerVolume -MountPoint $BitlockerDrive $KeyProtector = $BitLockerVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } return $KeyProtector.KeyProtectorId } function Invoke-BitlockerEscrow ($BitlockerDrive,$BitlockerKey) { #Escrow the key into Azure AD try { BackupToAAD-BitLockerKeyProtector -MountPoint $BitlockerDrive -KeyProtectorId $BitlockerKey -ErrorAction SilentlyContinue # Write-Output "Attempted to escrow key in Azure AD - Please verify manually!" exit 0 } catch { # Write-Error "This should never have happend? Debug me!" exit 1 } } #endregion functions #region execute Test-Bitlocker -BitlockerDrive $DriveLetter $KeyProtectorId = Get-KeyProtectorId -BitlockerDrive $DriveLetter Invoke-BitlockerEscrow -BitlockerDrive $DriveLetter -BitlockerKey $KeyProtectorId #endregion execute
You could use some form of the following for a detection script. Good luck.$DriveLetter = $env:SystemDrive function Test-Bitlocker ($BitlockerDrive) { #Tests the drive for existing Bitlocker keyprotectors try { Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop } catch { # Write-Output "Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!" exit 0 } } Test-Bitlocker -BitlockerDrive $DriveLetter # Detection success - Run the remediation script to escrow keys to AAD exit 1- thank you for that info... So I should be fine to assign the policy to "all device" and not expecting any issues 🙂
There was no key management before - the bitlocker key was stored in txt.... 😕 ... So I will just make sure that I store all in Azure now (even manually or trying to use your script above)- Hi, Yes you should be fine assigning it to all devices, although I would always first assign it to a small selection group of test machines in different states to see the result.
sumo83
Hi, My original thinking for the Intune Remediation script has a glaring issue that the script will rerun every time since the disk is encrypted, so the detection method needed reworking - it failed on a registry key check so I went back to an old school log file check and updated the scripts as follows:#BitLocker-RemediationDetectionBackupToAzureAD.ps1 $DriveLetter = $env:SystemDrive function Test-Bitlocker ($BitlockerDrive) { #Tests the drive for existing Bitlocker keyprotectors try { Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop } catch { # Write-Output "Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!" exit 0 } } if(Test-path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\BackupBitLockerToAAD.txt") { # Write-host "Backup is already done" exit 0 } else { Test-Bitlocker -BitlockerDrive $DriveLetter # Detection of Encrypted Drive success - Run the remediation script to escrow keys to AAD exit 1 }The actual remediation script therefore has to drop this file for detection to work with the additions of the code [ | Out-File "$env:Programdata\Microsoft\IntuneManagementExtension\Logs\BackupBitLockerToAAD.txt" ] - so that full script code is:
<# .SYNOPSIS Escrow (Backup) the existing Bitlocker key protectors to Azure AD (Intune) .DESCRIPTION This script will verify the presence of existing recovery keys and have them escrowed (backed up) to Azure AD Great for switching away from MBAM on-prem to using Intune and Azure AD for Bitlocker key management .INPUTS None .NOTES Version : 1.0 Author : Michael Mardahl Twitter : @michael_mardahl Blogging on : www.msendpointmgr.com Creation Date : 11 January 2021 Purpose/Change: Initial script License : MIT (Leave author credits) .EXAMPLE Execute script as system or administrator .\Invoke-EscrowBitlockerToAAD.ps1 .NOTES If there is a policy mismatch, then you might get errors from the built-in cmdlet BackupToAAD-BitLockerKeyProtector. So I have wrapped the cmdlet in a try/catch in order to supress the error. This means that you will have to manually verify that the key was actually escrowed. Check MSEndpointMgr.com for solutions to get reporting stats on this. #> #region declarations $DriveLetter = $env:SystemDrive #endregion declarations #region functions function Test-Bitlocker ($BitlockerDrive) { #Tests the drive for existing Bitlocker keyprotectors try { Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop } catch { # Write-Output "Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!" exit 0 } } function Get-KeyProtectorId ($BitlockerDrive) { #fetches the key protector ID of the drive $BitLockerVolume = Get-BitLockerVolume -MountPoint $BitlockerDrive $KeyProtector = $BitLockerVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } return $KeyProtector.KeyProtectorId } function Invoke-BitlockerEscrow ($BitlockerDrive,$BitlockerKey) { #Escrow the key into Azure AD try { BackupToAAD-BitLockerKeyProtector -MountPoint $BitlockerDrive -KeyProtectorId $BitlockerKey -ErrorAction SilentlyContinue | Out-File "$env:Programdata\Microsoft\IntuneManagementExtension\Logs\BackupBitLockerToAAD.txt" # Write-Output "Attempted to escrow key in Azure AD - Please verify manually!" exit 0 } catch { # Write-Error "This should never have happend? Debug me!" exit 1 } } #endregion functions #region execute Test-Bitlocker -BitlockerDrive $DriveLetter $KeyProtectorId = Get-KeyProtectorId -BitlockerDrive $DriveLetter Invoke-BitlockerEscrow -BitlockerDrive $DriveLetter -BitlockerKey $KeyProtectorId #endregion execute
Hope this helps you and others in the same boat 🙂
