Tuesday 12 December 2023

Intune & Bitlocker

Intune will only escrow the key if it is the one enabling BitLocker in the first place (i.e. after the user sign-in). If the BitLocker profile is already deployed to an encrypted system, Intune will not add its own key. To make this work you will need to use this PowerShell command:  BackupToAAD-BitLockerKeyProtector. This involves passing the “keyprotectorID” as a parameter so using a few lines of code can get the job done. I am using index 0 of the array just in case there are multiple recovery keys on the drive (more on that in the next section).


$BLV = Get-BitLockerVolume -MountPoint "C:" | select *

[array]$ID = ($BLV.KeyProtector | Where-Object {{ $_.KeyProtectorType -eq 'RecoveryPassword' }).KeyProtectorId

BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $ID[0]


Simply deploy this script via Intune and it will backup the key that was put in place from your initial pre-encryption process. The recovery key will then be accessible via Intune.

Proactive Remediation scripts

Detection script:

Try {

$Result = get-winevent -FilterHashTable @{LogName="Microsoft-Windows-BitLocker/BitLocker Management";StartTime=(get-date).Addseconds(-86400)}|Where-Object{($_.id -eq 846)} | ft message

$ID = $Result | measure-Object

If ($ID.Count -lt 5)

{

    Write-Output "Bitlocker backup to azure add succeeded"

    Exit 0

}

Else

{

    Write-Output $result

   Exit 1

}

}

catch

{

Write-Warning "Value Missing"

Exit 1

}

Remediation script

$BLV = Get-BitLockerVolume -MountPoint "C:" | select *

BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

Escrow key failed to upload the on AAD

If the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so.


try{

$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive

        $KPID=""

        foreach($KP in $BitlockerVol.KeyProtector){

            if($KP.KeyProtectorType -eq "RecoveryPassword"){

                $KPID=$KP.KeyProtectorId

                break;

            }

        }

       $output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID

return $true

}

catch{

     return $false

}


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

SCCM SQL Query to get Bit-locker Recovery Key

  SELECT cm.Name, ck.RecoveryKeyId, cv.VolumeGuid, cvt.TypeName AS 'Volume Type', RecoveryAndHardwareCore.DecryptString(ck...