How to manage Bitlocker on a Azure AD Joined Windows 10 Device managed by Intune.

When joining a computer to AAD either manually or by using a provisioning package, Bitlocker will be enabled automatically if your device has the necessary prerequisites. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. So this blog post is both for the end-user and IT-pro I guess.

In this scenario we have configured a Device Compliance Policy in Intune where we require Encryption of data storage on devices and sent the policy to all Mobile Users. Like so…

image

Now, from the user side, they will receive a notification that their device is not compliant with company policy and that Encryption is needed. Click on the notification to start Encryption process.

image

Make sure you do not have any other Device Encryption software installed and click Yes.

image

Make sure that you save the recovery key to your cloud account. You will be notified that the recovery key is saved.

image

image

Choose the new Encryption mode (which is Xts Aes 128)

image

Start encryption and go to a long lunch. Smile This can take some time… But know that you can work as normal alongside the encryption process.

image

Confirm that the encryption process is complete.

image

Now the encryption process is done and your data is secure. But how do we recover the drive in the case where we loose access to it. Well the key is stored in AAD and can be recovered easily by the end-user itself or by an administrator.

To retrieve the recovery key go to the following link and login with your corporate credentials (Work/School-account):
https://account.activedirectory.windowsazure.com/r/#/profile 

Find your computer by name and click on retrieve Bitlocker-keys

image

image

image

You can do the same in Azure Active Directory by going to https://portal.azure.com. Go to Users and Groups and search for the user.

image[64]

image

image

And there you Go. There is no way to automate the Encryption process from Intune. But I hope we at some point will be able to execute PowerShell scripts, where we could automate the process. As far as I know only with Windows 10 1703 as the PowerShell commandlet BackupToAAD-BitLockerKeyProtector which you need to save the recovery key to AAD, is only in 1703 and up. If you want to experiment with PowerShell here is the script I created. It works and it simply does the same as the manual step above.

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

Stay tuned for more posts.  Smile

And do not forget to leave a comment if you have any questions.

/Marius


Comments (%):

  1. Tobi says:

    Nice Posting and nice cmdlet!

    For bulk AAD joined devices that are not assigned to a specific user it also works using the cmdlet “BackupToAAD-BitLockerKeyProtector”. The venet log says successfully backed up. But how can we then access the recovery key? Any ideas?

Leave a Reply