How to migrate BitLocker key(s) from all fixed drives to Microsoft Entra ID.
20-11-2023 7:21 PM
PreviousMicrosoft IntuneNextMigrate Bitlocker Recovery Key(s) to Azure AD with Proactive Remediation
Last updated
Was this helpful?
20-11-2023 7:21 PM
Last updated
Was this helpful?
Disclaimer: All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should the mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss.
It's been almost a year since I published my original post about how to migrate BitLocker Recovery Key(s) to Azure AD (Microsoft Entra ID) using a remediation script. It didn't take long before several companies started using it, and since then, I've received a few inquiries about support for multiple fixed drives.
Today, I'm excited to announce the release of an updated version of the remediation script, which supports multiple fixed drives and an improved script output in Microsoft Intune.
Important: Read about the prerequisites and requirements for remediation scripts in Microsoft Intune and the script usage in the original blog post here ⤵️
In this post, I'll cover the following topics.
In the variables section of both scripts, you will find a new global variable named $Global:CheckAllDrives with a default value set to $false (see the screenshot below)
If set to $false (default) - the script will only check the system drive.
If set to $true - the script will check all fixed drives.
So, if you want to check all fixed drives on your devices, change this new global variable to $true in both the detect and the remediation script and upload them to Microsoft Intune.
After uploading both scripts to Microsoft Intune, it's time to verify that everything works as intended.
The first place I will check is in the IntuneProactiveRemediation log file.
As you can see in the example below, the script checks drive C:, E:, and F:
The second place I will check is in the Event Viewer.
The third and final place I would check is in the Registry Editor.
Let's have a look at the improved script output in Microsoft Intune.
The Device status overview provides visibility into the detection and remediation status. The following example shows that the detection process finished with issues, and the remediation failed.
Let's look at what information the output can provide us. In the below example, we can see that the improved script output now supports multiple outputs!
Output 1 - BitLocker protection status of drive 'C:' is = Off. - Please ensure that the BitLocker protection is turned on and not temporarily suspended.
Output 2 - BitLocker recovery key(s) from drive 'E:' is not stored in Azure AD. - Run remediation script…
Why did the remediation fail? – Because I'd temporarily suspended the BitLocker protection on drive C:
In this blog post, you learned about the new capabilities of my remediation script used for migrating BitLocker key(s) to Microsoft Entra ID. You should now be able to upload BitLocker key(s) for all fixed drives to Microsoft Entra ID and check the improved script output in Microsoft Intune.
That's it, folks. Happy testing, and have fun exploring 🤓 If you have any questions regarding this topic, please feel free to reach out to me.
Important: Please download the and script from my before continuing.
Note: As stated in my , you still need to change the "CompanyName" in the registry path to a name of your choice (such as your company name).
Go to Next, go to Devices | Remediations (under Policy) and select your script package from the overview. Choose Device status (under Monitor) in the script package.
