Store bitlocker recovery key to Azure AD

Question

Hello,

Would like to know is there any possibility to store bitcloker recovery key from SCCM database to Azure AD or at both locations (SCCM DB & Azure AD) at the same time.

Thanks.

in progress 0
Parag 2022-03-04T21:09:01+05:30 5 Answers 462 views Beginner
0

Answers ( 5 )

  2. raghavsood19
    0
    2022-03-07T18:47:05+05:30
    Reply

    I am sure if I have understood your question. But recently I have backed up the bitlocker from sccm devices to azure AD.

    #region declarations

    $DriveLetter = $env:SystemDrive

    #endregion declarations

    #region functions

    function Test-Bitlocker ($BitlockerDrive) {
    #Tests the drive for existing Bitlocker keyprotectors
    try {
    Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop
    } catch {
    Write-Output “Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!”
    exit 0
    }
    }

    function Get-KeyProtectorId ($BitlockerDrive) {
    #fetches the key protector ID of the drive
    $BitLockerVolume = Get-BitLockerVolume -MountPoint $BitlockerDrive
    $KeyProtector = $BitLockerVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq ‘RecoveryPassword’ }
    return $KeyProtector.KeyProtectorId
    }

    function Invoke-BitlockerEscrow ($BitlockerDrive,$BitlockerKey) {
    #Escrow the key into Azure AD
    try {
    BackupToAAD-BitLockerKeyProtector -MountPoint $BitlockerDrive -KeyProtectorId $BitlockerKey -ErrorAction SilentlyContinue
    Write-Output “Attempted to escrow key in Azure AD – Please verify manually!”
    exit 0
    } catch {
    Write-Error “This should never have happend? Debug me!”
    exit 1
    }
    }

    #endregion functions

    #region execute

    Test-Bitlocker -BitlockerDrive $DriveLetter
    $KeyProtectorId = Get-KeyProtectorId -BitlockerDrive $DriveLetter
    Invoke-BitlockerEscrow -BitlockerDrive $DriveLetter -BitlockerKey $KeyProtectorId

    #endregion execute

    Reference: https://github.com/mardahl/PSBucket/blob/master/Invoke-EscrowBitlockerToAAD.ps1

    • Parag
      0
      2022-03-08T20:47:33+05:30
      Reply

      Correct, something like this which I was looking for. Thanks for your reply.

      So it means we don’t have out of box option to store bitlocker recovery keys from SCCM DB to Azure AD. Please correct me if I am wrong.

      Can you please help me to know the prerequisites from Azure AD end to run the above PS script? Is co-management is required for this? Where to run the PS script, I mean on SCCM server or any Azure AD VM? Please guide.

      Thanks.

  4. Parag
    0
    2022-03-07T10:15:33+05:30
    Reply

    Also please suggest is it possible to sync recovery keys from the active directory to the Azure active directory in case of a hybrid scenario.

  6. Parag
    0
    2022-03-07T10:08:24+05:30
    Reply

    Thank you for your reply.

    So is there any other backup/restore option for BitLocker recovery keys apart from SCCM database backup or backup through a maintenance task when recovery keys are stored in SCCM DB through the BitLocker management feature.

  8. HowToManage Devices
    0
    2022-03-04T21:26:35+05:30
    Reply
    This answer was edited.

    I don’t think there is an option to store to SCCM BitLocker recovery key to Azure Active Directory. There are two options available

    1. SCCM DB
    2. Active Directory Domain Services

Leave an answer

Sorry, you do not have permission to answer to this question .