Skip to main content

BitLocker Recovery Key to Azure AD and Intune

· 2 min read
Naw Awn

Managing BitLocker recovery keys for multiple devices can be a daunting task without the right tools. I happened to run a project where BitLocker recovery keys were managed by the Sophos Central and somehow I had to port all of them over to Intune portal.

In this blog post, I wanted to share how I did it with the Powershell script. This uses the BitLocker PowerShell Module that comes with the Windows 10 computer. The only pre-requisite is that the computer is either Azure AD Joined or Azure AD hybrid Joined.

To do this manually, simply run the script below on the computer. The Recovery key should pop up on the Azure AD device. The Log file is created under windows temp folder.

Upload-BitLockerRecoveryKey.ps1
Function Upload-BitlockerRecoveryKey{
    Begin{
        $WinTemp = [Environment]::GetEnvironmentVariable('TEMP','Machine')
    }
    Process{
        $BLDrive = Get-BitLockerVolume -MountPoint C:
        If ($BLDrive.VolumeStatus -eq 'FullyEncrypted'){
            Try{
                $KeyProtectorId = $BLDrive.KeyProtector.Where{$_.KeyProtectorType -eq 'RecoveryPassword'}.KeyProtectorId
                BackupToAAD-BitLockerKeyProtector -MountPoint 'C:' -KeyProtectorId $KeyProtectorId -ErrorAction Stop
                $Message = 'Bitlocker key has been uploaded'
                New-Item -Path $WinTemp -Name BLLog.txt -ItemType 'File' -Value $Message -Force -Confirm:$false
                Write-Output $Message
                Exit 0
            }
            Catch{
                New-Item -Path $WinTemp -Name BLLog.txt -ItemType 'File' -Value $($_.Exception.Message) -Force -Confirm:$false
                Throw $_.Exception.Message
            }
        }
        Else{
            $Message = 'C drive has not been encrypted.'
            New-Item -Path $WinTemp -Name BLLog.txt -ItemType 'File' -Value $Message -Force -Confirm:$false
            Throw $Message
        }
    }
}
Upload-BitlockerRecoveryKey

To deploy this via Intune Management portal:

  1. https://endpoint.microsoft.com
  2. Navigate to Devices, Scripts
  3. Click on + Add and choose Windows 10 and later
  4. Give it a name
  5. Upload the script
  6. Assign to a device group
  7. Review and Save

With this solution in place, you can ensure that your BitLocker recovery keys will get populated into Intune portal gradually. However I would also recommend you to have a proper Disk encryption policy set up on the Intune Portal.