← Blog |

Ensuring BitLocker Key Backup for Workplace-Joined Devices and Beyond

By John Marcum

Ensuring BitLocker Key Backup for Workplace-Joined Devices and Beyond

Introduction

In today’s digital landscape, safeguarding sensitive data is paramount. BitLocker, a built-in encryption feature in Windows, provides a robust layer of protection by encrypting drives. However, ensuring that recovery keys are securely backed up is crucial, especially for workplace-joined devices where users often lack local admin rights. This blog post delves into a solution we’ve implemented to address this challenge, detailing two PowerShell scripts designed to ensure all BitLocker keys, including those on workplace-joined devices, are backed up to Azure Active Directory (Azure AD).

The Challenge

The primary challenge addressed by this solution is the unique scenario posed by workplace-joined devices. These devices typically do not back up BitLocker keys to Azure AD. This is due to how the authentication process for backing up the keys occurs. Normally, a certificate issued to the device is used to authenticate to the API to which the keys are sent. Workplace-joined devices do not have this certificate, so we must back up the keys as the logged-on user. However, admin rights are required to retrieve the keys, making this impractical. Our solution circumvents this issue by first gathering key protector details using an account with local system rights (via Intune deployment), and then performing the backup using user-level certificates. This method ensures the backup of keys even when the user lacks admin rights, thereby enhancing data recovery capabilities.

The Solution

To address this issue, we developed a two-script solution:

  1. **Is-Encrypted.ps1:**This script identifies BitLocker-protected volumes that are fully encrypted and checks whether their recovery keys have been backed up. It does this by searching both the event logs and a custom log file. If a key is not backed up, the script saves the KeyProtectorId and RecoveryPassword to a text file for further processing.
  2. **Backup-RecoveryPasswords.ps1:**This script reads the text file generated by the first script and attempts to back up the recovery keys to Azure AD. It authenticates using user-level certificates, a necessary step since only the user has access to these certificates. The script logs all operations, ensuring a comprehensive record of backup attempts and successes.

Deploying the Scripts with Intune Proactive Remediations

To automate the execution of these scripts and ensure consistent backup of BitLocker keys, we deploy them using Intune Proactive Remediations. This method leverages Intune’s ability to execute PowerShell scripts under specific contexts, allowing us to overcome the challenges posed by workplace-joined devices.

Deployment Overview:

  • **Is-Encrypted.ps1:**This script runs daily under the system context to identify unbacked keys. It is configured as a detection script in a Proactive Remediation that runs every day. (Get the full script below)
  • **Backup-RecoveryPasswords.ps1:**This script runs every 8 hours under the logged-on user’s context to back up the identified keys using the user’s certificate. It is configured as a detection script in a separate Proactive Remediation. (Get the full script below)

Detailed Steps for Deployment:

  1. Is-Encrypted.ps1 Deployment:
    • **Context:**System
    • **Frequency:**Once every day
    • **Purpose:**Identifies unbacked BitLocker recovery keys and saves them to a text file for further processing.

Steps:

  1. - In Intune, navigate to **Devices**>**Scripts and Remediations.**
    • Select Remediations.
    • Create a new Remediation script.
    • Provide a Name for the remediation.
    • Select Next.
    • In the detection script filefield, upload theIs-Encrypted.ps1script**.**
    • Run this script using the logged-on credentials = No.
    • Enforce script signature check = No.
    • Run script in 64-bit PowerShell = Yes.
    • Assignthe script to a group and set the schedule torun once per day.
  2. Backup-RecoveryPasswords.ps1 Deployment:
    • **Context:**Logged-on user
    • **Frequency:**Every 8 hours
    • **Purpose:**Backs up the recovery keys identified by the first script to Azure AD using the user’s certificate.

Steps:

  1. - Create another Remediation script in Intune.
    • Provide a Name for the remediation.
    • Select Next.
    • In the detection script filefield, upload theBackup-RecoveryPasswords.ps1script**.**
    • Run this script using the logged-on credentials = Yes.
    • Enforce script signature check = No.
    • Run script in 64-bit PowerShell = Yes.
    • Assignthe script to a group and set the schedule torun every 8 hours.

Future Enhancements

Currently, the code for using the BackupToAAD-BitLockerKeyProtector cmdlet for Azure AD joined or hybrid joined devices is commented out in the Is-Encrypted.ps1 script. We plan to conduct further testing and refine this process to ensure seamless integration and support for all device join scenarios. Feel free to uncomment this line and test yourself.

Conclusion

Data security is non-negotiable, and ensuring that all BitLocker recovery keys are backed up to Azure AD is a critical aspect of this. Our solution, while working around some unsupported scenarios, provides a comprehensive method to secure BitLocker keys for workplace-joined devices. By leveraging both system and user-level access, we ensure no key is left unbacked, safeguarding against data loss.

For those implementing similar solutions, it’s crucial to thoroughly test in your environment and understand the limitations and permissions required. Our approach provides a robust foundation, but customization may be necessary to fit specific organizational needs.

Feel free to reach out for any clarifications or further discussions on BitLocker key management and Azure AD integrations.

Legal Disclaimer

This solution is provided “as is” without any warranty or guarantee of any kind. The author is not liable for any damages or issues that arise from using this solution. It is the user’s responsibility to ensure that the solution is suitable for their environment and does not interfere with other processes or security policies.

Is-Encrypted.ps1

This script should be executed in local system context.

The script(s) referenced above are available on GitHub:

github mark2

Get the scripts on GitHub: powerstacks-corp/intune-bitlocker-key-backup

Need visibility into BitLocker compliance across your fleet? BI for Intune provides pre-built Power BI dashboards for encryption status, compliance reporting, and device health — so you can quickly identify devices with missing or unbacked recovery keys. Start a free trial →

Intune