Move Bitlocker Management to Intune Part 2

By Nicklas AhlbergIntune

In part 1 we had a look at:

  • How to export Bitlocker info from MBAM
  • How to export Bitlocker info from Active Directory
  • How to export an encryption report using Intune

In this part we will:

  • Deploy a PowerShell script to have our devices upload their Bitlocker info to Entra ID.
  • Deploy an disk encryption policy to make sure that new and any currently decrypted devices are encrypted accordingly to policy.

Let’s get to it!

We will start off by deploying a simple PowerShell script to have our currently encrypted devices upload Bitlocker info to Azure AD. The Bitlocker info will be available on each device object in AAD and Intune.

  1. Create a .PS1-file and add below command.
  2. Name the file: “BackupToAAD-BitLockerKeyProtector.ps1
  3. Save the file (we will need it soon).
# Upload Bitlocker Recovery Password to Azure AD, if the OS-drive is encrypted
# My recommendation is to use Intune to deploy the script
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

Optional: Create an Azure AD dynamic device group to fetch all of your MDM managed Windows 10-devices. You may use any already existing groups if you have one. I Recommend that you start by using a group containing a few pilot devices.

Create a Dynamic Device Entra ID group

  1. Open the Entra.
  2. Click: “Groups” -> “New Group
  3. Group type: “Security
  4. Group name: “MDM – All Windows 10
  5. Group description: “All MDM and Co-Managed Windows 10-devices
  6. Membership type: “Dynamic device
  7. Click: “Add dynamic query
  8. Click: “Edit” (far to the right side of the blade)
  9. Add rule: (device.deviceOSVersion -startsWith “10.0”) and (device.deviceOSType -startsWith “Windows”) and (device.managementType -eq “MDM”)
  10. Click: “OK
  11. Click: “Save
  12. Click: “Create
  13. Now we must wait for the group evaluation to complete, this will take about 15 minutes in my experience.
  14. Visit the group after 15 minutes and you should have a value at “Membership last updated” and all of your Windows 10-devices should be members of the group.

Now that we have a group (containing either pilot or all MDM managed Windows 10-devices) we are ready to deploy the Powershell script to upload Bitlocker info to Azure AD.

Create and deploy the PowerShell script

Note! This step is not necessarily need as the disk encryption policy that we will create later on should do the trick – but I have seen a much better success ratio by adding this quick step.

  1. Start a web browser and sign in to the Intune portal, I am always using Microsoft Edge
  2. Navigate to: “Devices” -> “Scripts” -> “Add” and choose “Windows 10
  3. Choose a fitting name. In this demo I will name the script: “W10 – BackupToAAD-BitLockerKeyProtector
  4. Click: “Next
  5. Script location: Upload “BackupToAAD-BitLockerKeyProtector.ps1
  6. Click: “Next
  7. Click: “Add groups
  8. Choose: “MDM – All Windows 10” or a pilot group.
  9. Click: “Next
  10. Click: “Add

We have now deployed a script to upload the system drive Bitlocker recovery password to Azure AD.

Optional: Check script deployment Status From a Windows 10-device.

  1. Now we need to log-on to a Windows 10-device to which we deployed the “BackupToAAD-BitLockerKeyProtector” script
  2. Open: “Company Portal
  3. Click: “Settings
  4. Click: “Sync” (this will initiate a policy sync with Intune)
  5. Wait a couple of minutes to allow the sync to complete and the script to be deployed
  6. Open “Event Viewer
  7. Navigate to: “Applications and Services Logs” -> “Microsoft” -> “Windows” -> “BitLocker-API” -> “Management
  8. Look for and click: “Event-ID: 845
  9. You should see that the Bitlocker info has been successfully uploaded to Azure AD

Disk Encryption Policy

Let’s create the disk encryption policy. This is where the magic happens and after implementing this step we will be able to disable any traditional Bitlocker/MBAM group policy objects!

Note! Remember to deploy this policy to a pilot group with just a few devices initially.

  1. Start a web browser and sign in to the Intune portal, I am always using Microsoft Edge.
  2. Navigate to: “Endpoint security” -> “Disk encryption
  3. Click: “Create Policy
  4. Platform: “Windows 10 and later
  5. Profile: “Bitlocker
  6. Click: “Create
  7. Choose a fitting name. In this demo I use the name: “W10 – Bitlocker Encryption Policy
  8. You will need to configure the settings as per your specific needs. In this demo I use these settings:
  9. Click: “Next
  10. On the Scope tags blade click: “Next
  11. On the Assignments blade click: “Add groups
  12. I recommend that you choose a pilot group to begin with but in this demo I will assign the policy to “MDM – All Windows 10
  13. Click: “Next
  14. Click: “Create

There it is. We have created a disk encryption policy that will encrypt our Windows 10-devices with Bitlocker. I recommend that you disable any group policy objects after testing this policy thoroughly. You may retire any MBAM servers when you are comfortable with doing so.

In part 3 we will look at the different ways to get the Bitlocker recovery password from an admin and end-user perspective.

You will find part 1 of this series here
You will find part 3 of this series here

//Nicklas Ahlberg

One thought on “Move Bitlocker Management to Intune Part 2

  1. After you have backed up the recovery key to Azure AD with the script, will “rotation on Azure AD and Hybrid-joined devices” work from Intune when a recovery key is used?
    Or will the recovery key be the same until the client is reinstalled and Bitlocker is setup directly from Intune?

    Should the MBAM agent and MBAM GPO be removed as soon as the recovery key is backed up?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.