select distinct VRS.Netbios_Name0, CI.ComplianceStateName from v_R_System VRS
right join v_FullCollectionMembership_Valid FM on VRS.ResourceID=FM.ResourceID
right join fn_ListCI_ComplianceState(1033) CI on VRS.ResourceID=CI.ResourceID
where CI.CI_ID= '456414' --Specify CI ID
and FM.CollectionID='CM100011' --Specify Collection ID
select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
inner join v_gs_operating_system os on os.resourceid=sys.resourceid
inner join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
inner join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
where uss.lasterrorcode!='0'
order by uss.lasterrorcode
Intune will only escrow the key if it is the one enabling BitLocker in the first place (i.e. after the user sign-in). If the BitLocker profile is already deployed to an encrypted system, Intune will not add its own key. To make this work you will need to use this PowerShell command: BackupToAAD-BitLockerKeyProtector. This involves passing the “keyprotectorID” as a parameter so using a few lines of code can get the job done. I am using index 0 of the array just in case there are multiple recovery keys on the drive (more on that in the next section).
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
[array]$ID = ($BLV.KeyProtector | Where-Object {{ $_.KeyProtectorType -eq 'RecoveryPassword' }).KeyProtectorId
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $ID[0]
Simply deploy this script via Intune and it will backup the key that was put in place from your initial pre-encryption process. The recovery key will then be accessible via Intune.
Proactive Remediation scripts
Detection script:
Try {
$Result = get-winevent -FilterHashTable @{LogName="Microsoft-Windows-BitLocker/BitLocker Management";StartTime=(get-date).Addseconds(-86400)}|Where-Object{($_.id -eq 846)} | ft message
$ID = $Result | measure-Object
If ($ID.Count -lt 5)
{
Write-Output "Bitlocker backup to azure add succeeded"
Exit 0
}
Else
{
Write-Output $result
Exit 1
}
}
catch
{
Write-Warning "Value Missing"
Exit 1
}
Remediation script
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
Escrow key failed to upload the on AAD
If the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so.
try{
$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive
$KPID=""
foreach($KP in $BitlockerVol.KeyProtector){
if($KP.KeyProtectorType -eq "RecoveryPassword"){
$KPID=$KP.KeyProtectorId
break;
}
}
$output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID
return $true
}
catch{
return $false
}
Scope tags determine which objects admins can see; Intune scope tags allow you to manage a large organizations IT infrastructure while giving each department/region/sub company/… the flexibility to configure their own settings. Scope tags in Microsoft Intune allow administrators to divide devices in their organization into logical groups. These groups, also known as tags, can be used to make certain settings, applications, and policies available only to specific users or devices. By using Intune scope tags, you can streamline your IT infrastructure, improve security, and make your life easier.
Intune scope tags
What’s an Intune scope tag?
A scope tag assigns an Intune configuration (e.g. device configuration, compliance policy, mobile app or managed device) to one or more specific management scope(s)
Create Scope Tag
First of all, we have to create one or more scope tag. Go to Intune → Roles → Scope Tags. There you can create custom Scope Tags.
Use Roles
What is a role? Roles are a bunch of settings to allow administrators very specific tasks to do in Intune. A role has two sections. Permissions and Assignments
Within the permissions you can – how obviously – define which permissions you want to delegate
Within the Assignment you’ll have three sections:
• Members: Who will get the new permission
• Scope (Groups): Which groups should be managed. This can be a device and/or user group
• Scope (Tags): Which tag will apply.
You can have multiple assignments in one Role. But let’s keep it simple and use only one assignment
Let’s create a new Role. Go to Intune → Roles → All Roles and add a new role
Cloud attach allows organizations to use MECM to manage devices that are enrolled in Microsoft Intune, without the need to install the MECM client on the device. This allows organizations to take advantage of the advanced management capabilities of MECM, while still using Intune for device enrollment and basic management tasks
Co-management, on the other hand, allows organizations to use both MECM and Intune to manage the same set of devices. With co-management, organizations can use MECM for traditional device management tasks, such as deploying software and updates, while using Intune for modern management tasks, such as mobile device management and conditional access.
Pre-requisites
• Azure Active Directory Premium
• An Azure Account that is global admin and has got a Microsoft Intune subscription.
• Configure a hybrid Azure AD join using Azure AD Connect
• Configure Client Settings to direct clients to register with Azure AD
• Configure auto-enrollment of devices to Intune.
• Setting up Co-management in MECM
Configure a hybrid Azure AD join using Azure AD Connect
•Use Client Settings to configure Configuration Manager clients to automatically register with Azure AD
•Open the Configuration Manager console and go to: \Administration\Overview\Client Settings.
•Edit the default Client settings and select Cloud Services, set Automatically register new Windows 10 domain joined devices with Azure Active Directory to = Yes. Select OK.
Configure auto-enrollment of devices to Intune.
With automatic enrollment, devices you manage with Configuration Manager automatically enroll with Intune.
Automatic enrollment also lets users enroll their Windows 10 devices to Intune. Devices enroll when a user adds their work account to their personally owned device, or when a corporate-owned device is joined to Azure Active Directory
Sign in to the Azure portal and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.
Configure MDM user scope. Specify one of the following to configure which users’ devices are managed by Microsoft Intune and accept the defaults for the URL values.
•Some: Select the Groups that can automatically enroll their Windows 10 devices
•All: All users can automatically enroll their Windows 10 devices
•None: Disable MDM automatic enrollment
We can select All or specific the group where the devices are part of cloud attach or co-management collection
Setting up Co-management in MECM
Open your MECM console and go to: \Administration\Overview\Cloud Services\Co-management and click on Configure co-management.
Click Sign In.
Sign in with the Intune organizational account (this account has got to have a Enterprise Mobility + Security (EMS) Subscription). It also must have Global Administrator Rights in Azure AD tenant.
Click Yes to accept the Create AAD Application notification.
Select All my devices managed by MECM or select a specific collection. And check Enable Endpoint Analytics for devices uploaded to MECM. Click Next >.
Now select how you want to automatic enroll your devices in Intune:
1.None of your devices.
2.Pilot a collection of devices, In the case of Pilot, you can select which collections to add from your list
3.All of the devices that are managed by MECM.
Now lets select what workloads we want Intune to manage instead of MECM. Slide al of the workloads to the Pilot Intune, so we can assign each workload to different collections.
Once the workload is applied, you can verify it through Microsoft Endpoint Manager admin center, and navigate to Devices > Windows > Windows devices. Click on the device and we can see the information under Co-management.
