How to migrate BitLocker key(s) from all fixed drives to Microsoft Entra ID.
20-11-2023 7:21 PM
BEFORE YOU BEGIN
Disclaimer: All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should the mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss.
It's been almost a year since I published my original post about how to migrate BitLocker Recovery Key(s) to Azure AD (Microsoft Entra ID) using a remediation script. It didn't take long before several companies started using it, and since then, I've received a few inquiries about support for multiple fixed drives.
Today, I'm excited to announce the release of an updated version of the remediation script, which supports multiple fixed drives and an improved script output in Microsoft Intune.
Important: Read about the prerequisites and requirements for remediation scripts in Microsoft Intune and the script usage in the original blog post here ⤵️
In this post, I'll cover the following topics.
Migrate BitLocker key(s) from all fixed drives
Important: Please download the detection and remediation script from my GitHub repository before continuing.
In the variables section of both scripts, you will find a new global variable named $Global:CheckAllDrives with a default value set to $false (see the screenshot below)
If set to $false (default) - the script will only check the system drive.
If set to $true - the script will check all fixed drives.
So, if you want to check all fixed drives on your devices, change this new global variable to $true in both the detect and the remediation script and upload them to Microsoft Intune.
Remediation verification
After uploading both scripts to Microsoft Intune, it's time to verify that everything works as intended.
The first place I will check is in the IntuneProactiveRemediation log file.
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneProactiveRemediation.logAs you can see in the example below, the script checks drive C:, E:, and F:
The second place I will check is in the Event Viewer.
The third and final place I would check is in the Registry Editor.
The improved script output in Microsoft Intune
Let's have a look at the improved script output in Microsoft Intune.
Go to https://intune.microsoft.com Next, go to Devices | Remediations (under Policy) and select your script package from the overview. Choose Device status (under Monitor) in the script package.
The Device status overview provides visibility into the detection and remediation status. The following example shows that the detection process finished with issues, and the remediation failed.
Let's look at what information the output can provide us. In the below example, we can see that the improved script output now supports multiple outputs!
Output 1 - BitLocker protection status of drive 'C:' is = Off. - Please ensure that the BitLocker protection is turned on and not temporarily suspended.
Output 2 - BitLocker recovery key(s) from drive 'E:' is not stored in Azure AD. - Run remediation script…
Why did the remediation fail? – Because I'd temporarily suspended the BitLocker protection on drive C:
Summary
In this blog post, you learned about the new capabilities of my remediation script used for migrating BitLocker key(s) to Microsoft Entra ID. You should now be able to upload BitLocker key(s) for all fixed drives to Microsoft Entra ID and check the improved script output in Microsoft Intune.
That's it, folks. Happy testing, and have fun exploring 🤓 If you have any questions regarding this topic, please feel free to reach out to me.
Last updated
Was this helpful?