Tag: bitlocker

Technology

Missing BitLocker Keys in Azure AD

The recent worldwide outage caused by a faulty Crowdstrike update was a major hassle for many people – not to mention the people working in various IT departments around the world who were left to clean up – (in many cases) – thousands of machines.

We run Crowdstrike at my current employer, and we too were affected by this outage. We’re a relatively small organisation, and an information technology organisation at that – so most of our users were able to resolve the situation themselves.

As long as they had access to their BitLocker recovery keys!

Many of the team did already have their recovery keys safely stored elsewhere, and got themselves back online pretty quickly.

Those who didn’t have their keys had to come to the IT team to get them. Almost all of the keys were found in our Microsoft Intune environment, as they should be.

However, handful were missing – here’s how to get them back into Intune to cater for any future need for them. Fortunately, the machines that had them missing did belong to people who had personally saved their keys elsewhere.

To get them back, there is an option to in the BitLocker control panel to save your recovery key(s) back up to Azure/Intune:

However, in the case of an environment with thousands and thousands of machines this might not always be practical. It might also be a pain if new drives are added, or disks are decrypted and re-encrypted – so here’s a PowerShell script that achieves the same, which you might regularly run across your workstation fleet and keep the keys centrally located for disaster recovery.

$BLVolumes = Get-BitLockerVolume

foreach ($BLVol in $BLVolumes)
{
    foreach ($keyProtector in $BLVol.KeyProtector)
    {
        if ($keyProtector.KeyProtectorType -eq "RecoveryPassword")
        {
            $KeyProtectorID = $keyProtector.KeyProtectorId
            $result = BackupToAAD-BitLockerKeyProtector -MountPoint $BLVol.MountPoint -KeyProtectorId $KeyProtectorID
            if ($result)
            {
                Write-Output "Recovery key upload for $($BLVol.MountPoint) was successful!"
            } else
            {
                Write-Output "Recovery key upload for $($BLVol.MountPoint) failed!"
            }
            break
        }
    }
}