Store bitlocker recovery key to Azure AD
Question
Hello,
Would like to know is there any possibility to store bitcloker recovery key from SCCM database to Azure AD or at both locations (SCCM DB & Azure AD) at the same time.
Thanks.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Hello,
Would like to know is there any possibility to store bitcloker recovery key from SCCM database to Azure AD or at both locations (SCCM DB & Azure AD) at the same time.
Thanks.
Answers ( 5 )
I am sure if I have understood your question. But recently I have backed up the bitlocker from sccm devices to azure AD.
#region declarations
$DriveLetter = $env:SystemDrive
#endregion declarations
#region functions
function Test-Bitlocker ($BitlockerDrive) {
#Tests the drive for existing Bitlocker keyprotectors
try {
Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop
} catch {
Write-Output “Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!”
exit 0
}
}
function Get-KeyProtectorId ($BitlockerDrive) {
#fetches the key protector ID of the drive
$BitLockerVolume = Get-BitLockerVolume -MountPoint $BitlockerDrive
$KeyProtector = $BitLockerVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq ‘RecoveryPassword’ }
return $KeyProtector.KeyProtectorId
}
function Invoke-BitlockerEscrow ($BitlockerDrive,$BitlockerKey) {
#Escrow the key into Azure AD
try {
BackupToAAD-BitLockerKeyProtector -MountPoint $BitlockerDrive -KeyProtectorId $BitlockerKey -ErrorAction SilentlyContinue
Write-Output “Attempted to escrow key in Azure AD – Please verify manually!”
exit 0
} catch {
Write-Error “This should never have happend? Debug me!”
exit 1
}
}
#endregion functions
#region execute
Test-Bitlocker -BitlockerDrive $DriveLetter
$KeyProtectorId = Get-KeyProtectorId -BitlockerDrive $DriveLetter
Invoke-BitlockerEscrow -BitlockerDrive $DriveLetter -BitlockerKey $KeyProtectorId
#endregion execute
Reference: https://github.com/mardahl/PSBucket/blob/master/Invoke-EscrowBitlockerToAAD.ps1
Correct, something like this which I was looking for. Thanks for your reply.
So it means we don’t have out of box option to store bitlocker recovery keys from SCCM DB to Azure AD. Please correct me if I am wrong.
Can you please help me to know the prerequisites from Azure AD end to run the above PS script? Is co-management is required for this? Where to run the PS script, I mean on SCCM server or any Azure AD VM? Please guide.
Thanks.
Also please suggest is it possible to sync recovery keys from the active directory to the Azure active directory in case of a hybrid scenario.
Thank you for your reply.
So is there any other backup/restore option for BitLocker recovery keys apart from SCCM database backup or backup through a maintenance task when recovery keys are stored in SCCM DB through the BitLocker management feature.
I don’t think there is an option to store to SCCM BitLocker recovery key to Azure Active Directory. There are two options available
1. SCCM DB
2. Active Directory Domain Services