How to migrate BitLocker key(s) from all fixed drives to Microsoft Entra ID.

How to migrate BitLocker key(s) from all fixed drives to Microsoft Entra ID.

It’s been almost a year since I published my original post about how to migrate BitLocker Recovery Key(s) to Azure AD (Microsoft Entra ID) using a remediation script. It didn’t take long before several companies started using it, and since then, I’ve received a few inquiries about support for multiple fixed drives.

Today, I’m excited to announce the release of an updated version of the remediation script, which supports multiple fixed drives and an improved script output in Microsoft Intune.

In this post, I’ll cover the following topics.

Migrate BitLocker key(s) from all fixed drives

In the variables section of both scripts, you will find a new global variable named $Global:CheckAllDrives with a default value set to $false (see the screenshot below)

  • If set to $false (default) – the script will only check the system drive.
  • If set to $true – the script will check all fixed drives.

So, if you want to check all fixed drives on your devices, change this new global variable to $true in both the detect and the remediation script and upload them to Microsoft Intune.

The remediation script

Remediation verification

After uploading both scripts to Microsoft Intune, it’s time to verify that everything works as intended.

The first place I will check is in the IntuneProactiveRemediation log file.

As you can see in the example below, the script checks drive C:, E:, and F:

How to migrate BitLocker key(s) to Microsoft Entra ID

The second place I will check is in the Event Viewer.

How to migrate BitLocker key(s) to Microsoft Entra ID

The third and final place I would check is in the Registry Editor.

How to migrate BitLocker key(s) to Microsoft Entra ID

The improved script output in Microsoft Intune

Let’s have a look at the improved script output in Microsoft Intune.

Go to https://intune.microsoft.com
Next, go to Devices | Remediations (under Policy) and select your script package from the overview.
Choose Device status (under Monitor) in the script package.

The Device status overview provides visibility into the detection and remediation status. The following example shows that the detection process finished with issues, and the remediation failed.

Script output in Microsoft Intune

Let’s look at what information the output can provide us. In the below example, we can see that the improved script output now supports multiple outputs!

  • Output 1 – BitLocker protection status of drive ‘C:’ is = Off. – Please ensure that the BitLocker protection is turned on and not temporarily suspended.
  • Output 2 – BitLocker recovery key(s) from drive ‘E:’ is not stored in Azure AD. – Run remediation script…

Why did the remediation fail? – Because I’d temporarily suspended the BitLocker protection on drive C:

Script output in Microsoft Intune

Summary

In this blog post, you learned about the new capabilities of my remediation script used for migrating BitLocker key(s) to Microsoft Entra ID. You should now be able to upload BitLocker key(s) for all fixed drives to Microsoft Entra ID and check the improved script output in Microsoft Intune.

That’s it, folks. Happy testing, and have fun exploring 🤓
If you have any questions regarding this topic, please feel free to reach out to us.

Table of Contents

Share this post
Search blog posts
Search
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly
Categories

Follow on SoMe