# How to migrate BitLocker key(s) from all fixed drives to Microsoft Entra ID. ## BEFORE YOU BEGIN {% hint style="warning" %} **Disclaimer:** All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should the mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss. {% endhint %} It's been almost a year since I published my original post about how to **migrate BitLocker Recovery Key(s) to Azure AD (Microsoft Entra ID)** using a remediation script. It didn't take long before several companies started using it, and since then, I've received a few inquiries about support for multiple fixed drives. Today, I'm excited to announce the release of an updated version of the remediation script, which supports multiple fixed drives and an improved script output in **Microsoft Intune**. {% hint style="warning" %} **Important:** Read about the prerequisites and requirements for remediation scripts in **Microsoft Intune** and the script usage in the original blog post here ⤵️ {% endhint %} {% embed url="" %} **In this post, I'll cover the following topics.** * [**Migrate BitLocker key(s) from all fixed drives**](#migrate-bitlocker-key-s-from-all-fixed-drives) * [**Remediation verification**](#remediation-verification) * [**The improved script output in Microsoft Intune**](#the-improved-script-output-in-microsoft-intune) * [**Summary**](#summary) ## Migrate BitLocker key(s) from all fixed drives {% hint style="warning" %} **Important:** Please download the [**detection**](https://github.com/SuneThomsenDK/OSDSUNE/blob/master/Scripts/ProactiveRemediation/BitLockerBackupToEntraID/Detect_BitLockerBackupToEntraID.ps1) and [**remediation**](https://github.com/SuneThomsenDK/OSDSUNE/blob/master/Scripts/ProactiveRemediation/BitLockerBackupToEntraID/Remediate_BitLockerBackupToEntraID.ps1) script from my [**GitHub repository**](https://github.com/SuneThomsenDK/OSDSUNE/tree/master/Scripts/ProactiveRemediation/BitLockerBackupToEntraID) before continuing. {% endhint %} In the variables section of both scripts, you will find a new global variable named **$Global:CheckAllDrives** with a default value set to **$false** (see the screenshot below) * If set to **$false** (default) - the script will only check the system drive. * If set to **$true** - the script will check all fixed drives. So, if you want to check all fixed drives on your devices, change this new global variable to **$true** in both the detect and the remediation script and upload them to **Microsoft Intune**. {% hint style="info" %} **Note:** As stated in my [**original blog post**](https://www.osdsune.com/home/blog/microsoft-intune/migrate-bitlocker-recovery-key-s-to-azure-ad-with-proactive-remediation), you still need to change the "**CompanyName**" in the registry path to a name of your choice (such as your company name). {% endhint %} {% hint style="info" %} **Tip:** Although changing the event log time variable is optional, I suggest you change it to the date you plan to put the scripts into production. {% endhint %}

## Remediation verification After uploading both scripts to **Microsoft Intune**, it's time to verify that everything works as intended. The first place I will check is in the **IntuneProactiveRemediation** log file. ``` C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneProactiveRemediation.log ``` As you can see in the example below, the script checks drive **C**:, **E**:, and **F**:

The second place I will check is in the **Event Viewer**. {% hint style="info" %} **Applications and Services Logs | Microsoft | Windows | BitLocker-API | Management** {% endhint %}

The third and final place I would check is in the **Registry Editor**. {% hint style="info" %} **HKEY\_LOCAL\_MACHINE\SOFTWARE\CompanyName\BitLocker** {% endhint %}

## The improved script output in Microsoft Intune Let's have a look at the improved script output in **Microsoft Intune**. Go to [**https://intune.microsoft.com**](https://intune.microsoft.com)\ Next, go to **Devices | Remediations (under Policy)** and select your script package from the overview.\ Choose **Device status (under Monitor)** in the script package. The **Device status overview** provides visibility into the detection and remediation status. The following example shows that the detection process finished with issues, and the remediation failed.

Let's look at what information the output can provide us. In the below example, we can see that the improved script output now supports multiple outputs! * **Output 1** - BitLocker protection status of drive 'C:' is = Off. - Please ensure that the BitLocker protection is turned on and not temporarily suspended. * **Output 2** - BitLocker recovery key(s) from drive 'E:' is not stored in Azure AD. - Run remediation script… {% hint style="info" %} **Note:** The script output(s) are separated with **\[Output 1] + \[Output 2] + \[Output 3]**... {% endhint %} Why did the remediation fail? – Because I'd temporarily suspended the BitLocker protection on drive **C:**

## Summary In this blog post, you learned about the new capabilities of my remediation script used for **migrating BitLocker key(s) to Microsoft Entra ID**. You should now be able to upload BitLocker key(s) for all fixed drives to **Microsoft Entra ID** and check the improved script output in **Microsoft Intune**. That's it, folks. Happy testing, and have fun exploring 🤓\ If you have any questions regarding this topic, please feel free to reach out to me. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.osdsune.com/home/blog/microsoft-intune/how-to-migrate-bitlocker-key-s-from-all-fixed-drives-to-microsoft-entra-id..md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.