SOLVED

BitLocker recovery key not being uploaded into Intune when using BackupToAAD-BitLockerKeyProtector

Copper Contributor

Hello,

 

We are having an issue with the BackupToAAD-BitLockerKeyProtector PowerShell cmdlet to upload the BitLocker recovery key of our devices into AAD/Intune.

 

We currently use Sophos Device Encryption to encrypt our devices but want to migrate the recovery keys into Intune as we transition to Intune BitLocker policies. We created a script that attempts to upload the BitLocker recovery key into Intune but it appears the BackupToAAD-BitLockerKeyProtector cmdlet only works on devices where the user logs in with a domain account, and not a local Windows account. 

 

Is this standard behaviour?

 

I would have assumed that since the device is enrolled into Intune it would use the Management Extension to communicate with Intune for this task - and have no reliance on the logged in user. Looking at the BitLocker PowerShell module itself, a method named "

BackupRecoveryInformationToCloudDomain" is called when this cmdlet is executed. I haven't been able to find much online about what happens beyond here. It would be good to know a bit more about this cmdlet as documentation is limited online.

 

Cheers

 

7 Replies

@ethanchal 

 

If the device is enrolled in Intune, you should try to create a BitLocker policy for it and enable the option to require Azure AD Key Backup, per this article:

 

Best Practices for Deploying BitLocker with Intune 

 

If doing a script, it should be run elevated as administrator, so it can access the system. Best practice is to set the policy and see if that method works, then to use the script as the fallback. It won't use the Management Extensions, it leverages WMI and .NET because BitLocker support is baked in at the OS-level.

 

It's possible it might not work as a local user though, because that account might not have a reference in Azure AD, and it needs credentials to connect. For Native Azure AD Joined devices, instead of logging in as ".\localuser" you can try logging in as "user @ clouddomain . com" - the cmdlet should be able to work under the cloud account context. Logging in as DOMAIN\user will leverage Hybrid Azure AD Join, which is why it works that way.

 

Also confirm the device is properly registered in Azure AD and Intune via DsRegCmd.exe /status.

 

Please like or mark this thread as answered if it's helpful, thanks!

 

 

Please like or mark this thread as answered if it's helpful, thanks!

Hi... Did you happen to have read part 5 from this blog? https://call4cloud.nl/2022/09/autopilot-pre-provisionings-infinite-play-uh-waiting-list/#part5

Its mentioning just the exact thing you tried to do and it also mentions why it failed you... "You need to be signed in with a Microsoft account .. "

Hey Kurt, thanks for the info on the WMI/.NET backend. I was scratching my head trying to understand the workings of that cmdlet.

We tried deploying the Intune encryption policy to get the key backed up but no luck, same story with the script running as system. Looking in event viewer shows the following after running the script:

Event 846: Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD. You need to be signed into Windows with a Microsoft account to save your recovery key.

I didn't mention originally but our devices are HAADJ without line of sight to the DC, I think this is our issue here. It's a shame Intune can't escrow the key for us through the mdm enrolment profile.

Hi again Rudy :) I hadn't spotted this article but from reading that and from what other commenters have posted I think we are out of ideas for our HAADJ devices without line of sight to the DC! Thanks for posting.

best response confirmed by ethanchal (Copper Contributor)
Solution

@ethanchal 

 

You may want to look into this Autopilot feature, which gets it to work over VPN, and would thereby give you line-of-sight to the DC that way.

 

Trying Out Autopilot Hybrid Join Over VPN In Your Azure Lab 

 

Please like or mark this thread as answered if it's helpful, thanks!

You can simply add the office 365 user into "Access work or school" in system settings and make the user as local admin. After restart, you will find the option "Save to your Azure AD account". And also run the command BackuptoAAD-Bitlocker key protector ....
1 best response

Accepted Solutions
best response confirmed by ethanchal (Copper Contributor)
Solution

@ethanchal 

 

You may want to look into this Autopilot feature, which gets it to work over VPN, and would thereby give you line-of-sight to the DC that way.

 

Trying Out Autopilot Hybrid Join Over VPN In Your Azure Lab 

 

Please like or mark this thread as answered if it's helpful, thanks!

View solution in original post