Jun 03 2022 12:44 PM
Steps U do.
Move devices in SCCM into a collection where Intune controls everything, devices are on-prem.
All policy's work, but the Bitlocker recovery keys does not sync from AD to Intune.
If I manually go to the device I can trigger a Bitlocker key rotation and one key shows up. Fully AAD devices that went thru Autopilot has two recover keys in Intune.
Not sure how everyone is handling this but I did find a remediation script.
https://call4cloud.nl/2021/02/b-for-bitlocker/
But is there any other way of handling this and why is it happening?
Jun 03 2022 02:06 PM
The following option is not present in a Bitlocker policy, but present in a Endpoint protection policy template. Would this actually solve it? And do i have to delete the Bitlocker policy or is there anyway of me setting only that option?
Jun 03 2022 06:57 PM
SolutionHi @JimmyWork
Do you have on premise GPO? If you do, bear in mind it will always win, so make sure its disabled on devices that scoped in Intune policy.
I would also use Intune Endpoint Protection Template (like you mentioned above) and make sure the setting you attached is selected and also the one I attached.
I have used the script below last year to migrate the keys into AAD, hope it helps as well
https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/
Moe
Jun 04 2022 08:03 AM
Jun 04 2022 08:08 AM
Also in your image you are using a Endpoint protection policy template, I have configure Bitlocker policy with a Bitlocker policy template, the option
"Store recovery information in Azure Active Directory before enabling BitLocker" is not available in my config, I do however have "Require device to back up recovery information to Azure AD"
Jun 04 2022 08:50 AM - edited Jun 04 2022 08:58 AM
Got it, thanks for the clarification!
I still think disabling GPO policy would remove some complexity in your case. There are multiple places for Bitlocker in MEM and I would stay on one policy from MEM.
Moe
Jun 04 2022 01:52 PM
Jun 05 2022 08:57 PM
Jun 08 2022 12:01 AM
Jun 08 2022 04:04 AM
Jun 08 2022 05:46 AM
Thank you again for answering.
What I'm currently trying is that I used the following PS script.
Window- Devices -PowerShell scripts.
Assigned it to a Device, but for some reason it has yet run, after 4 hours.
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
Jun 08 2022 11:33 AM
Jun 08 2022 11:40 AM
Jun 09 2022 02:23 AM
Jun 03 2022 06:57 PM
SolutionHi @JimmyWork
Do you have on premise GPO? If you do, bear in mind it will always win, so make sure its disabled on devices that scoped in Intune policy.
I would also use Intune Endpoint Protection Template (like you mentioned above) and make sure the setting you attached is selected and also the one I attached.
I have used the script below last year to migrate the keys into AAD, hope it helps as well
https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/
Moe