select distinct VRS.Netbios_Name0, CI.ComplianceStateName from v_R_System VRS
right join v_FullCollectionMembership_Valid FM on VRS.ResourceID=FM.ResourceID
right join fn_ListCI_ComplianceState(1033) CI on VRS.ResourceID=CI.ResourceID
where CI.CI_ID= '456414' --Specify CI ID
and FM.CollectionID='CM100011' --Specify Collection ID
select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
inner join v_gs_operating_system os on os.resourceid=sys.resourceid
inner join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
inner join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
where uss.lasterrorcode!='0'
order by uss.lasterrorcode
Intune will only escrow the key if it is the one enabling BitLocker in the first place (i.e. after the user sign-in). If the BitLocker profile is already deployed to an encrypted system, Intune will not add its own key. To make this work you will need to use this PowerShell command: BackupToAAD-BitLockerKeyProtector. This involves passing the “keyprotectorID” as a parameter so using a few lines of code can get the job done. I am using index 0 of the array just in case there are multiple recovery keys on the drive (more on that in the next section).
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
[array]$ID = ($BLV.KeyProtector | Where-Object {{ $_.KeyProtectorType -eq 'RecoveryPassword' }).KeyProtectorId
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $ID[0]
Simply deploy this script via Intune and it will backup the key that was put in place from your initial pre-encryption process. The recovery key will then be accessible via Intune.
Proactive Remediation scripts
Detection script:
Try {
$Result = get-winevent -FilterHashTable @{LogName="Microsoft-Windows-BitLocker/BitLocker Management";StartTime=(get-date).Addseconds(-86400)}|Where-Object{($_.id -eq 846)} | ft message
$ID = $Result | measure-Object
If ($ID.Count -lt 5)
{
Write-Output "Bitlocker backup to azure add succeeded"
Exit 0
}
Else
{
Write-Output $result
Exit 1
}
}
catch
{
Write-Warning "Value Missing"
Exit 1
}
Remediation script
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
Escrow key failed to upload the on AAD
If the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so.
try{
$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive
$KPID=""
foreach($KP in $BitlockerVol.KeyProtector){
if($KP.KeyProtectorType -eq "RecoveryPassword"){
$KPID=$KP.KeyProtectorId
break;
}
}
$output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID
return $true
}
catch{
return $false
}
