How to check your Bitlocker Key Escrow status with Microsoft Intune.
Todays blog post is one for the geeks again. My fellow IT guys.
Disclaimer: If you are reading this blog then you have most likely Googled an issue and found yourself here, well done. We know how to resolve technical issues even if that process includes research. Keep going..... do not randomly run scripts. Understand what the script does and trust no one. We can not be held accountable for any damage that is done. This blog is not a set of instructions.
Microsoft Intune is a modern approach to desktop management. For businesses that use Microsoft Azure, 365 and even with an on Prem Microsoft Active Directory Microsoft Intune is a superb approach for management of device configuration and security.
A powerful feature of computer security is disk level encryption. Disk encryption stores your data in a cryptographically secure format. If a malicious party gets access to your laptop they will not be able to circumvent the cryptography to gain access to your data. With Windows 10 and Windows 11 this comes in the form of BitLocker. But what happens if you get locked out of your own computer somehow? If BitLocker is that secure if not handled properly it presents a risk to the user. The good news is that BitLocker provides a recovery key which needs to be kept in a safe place. If there are any issues unlocking the encrypted disk the recovery key can be used to help you get access to your data once more. There are a few scenarios that may cause this, if the system detects some kind of hardware change for example. The question is how do you store these recovery keys? As Microsoft Azure admins we need a way to have access to these recovery keys and of course we need to protect them. If they are common knowledge they are not much use, if we can not locate them the potential for data loss could be catastrophic. Of course the latter is extreme because we backup our systems right?
Microsoft Intune offers a way to store BitLocker Recovery keys, this is a process where the recovery key is stored with the Device in Intune. This is process known as escrow. All good MDM platforms will do this. At iLogix Computer Solutions we are also Apple Specialists, we are Apple and JAMF Certified. JAMF will do the same as Intune, it will escrow macOS FileVault recovery keys.
The question is how do you ensure that the keys are escrowed to Microsoft Intune. With JAMF we enforce FileVault and to be sure we run regular reports to report on Macs that do not have FileVault Enabled and also Macs that do not have their recovery key stored in JAMF. We never have unencrypted systems because we make sure systems are protected but this reporting offers assurance.
We were recently contacted by a customer who informed us that one of his users was locked out of his Dell Laptop. He was unable to log in and was being prompted for the BitLocker Recovery key. The administrator went to his Microsoft Intune only to find the key was not available. Don't worry, there are ways to perform a key rotation which got him out of trouble however we provided him with a report on his Intune escrow status.
The way we did this was to use Windows Powershell and run a script. We started by making sure we had all the right modules loaded, thats as simple as running the following in PowerShell:
Install-ModuleAzureRM-AllowClobber
We then ran the following PoweShell Script. You need to Authenticate with an Azure admin account, save the following as a .ps1 file or paste it into PowerShell ISE, then run it. It will generate a spreadsheet and allow an admin to asses their organisations BitLocker status including Key Escrow.
___________________________________________________________________________________________
function get-bitlockerEscrowStatusForAzureADDevices{
#Requires -Modules ImportExcel
<#
.SYNOPSIS
Retrieves bitlocker key upload status for all azure ad devices
.DESCRIPTION
Use this report to determine which of your devices have backed up their bitlocker key to AzureAD (and find those that haven't and are at risk of data loss!).
Report will be stored in current folder.
.EXAMPLE
get-bitlockerEscrowStatusForAzureADDevices
.PARAMETER Credential
Optional, pass a credential object to automatically sign in to Azure AD. Global Admin permissions required
.PARAMETER showBitlockerKeysInReport
Switch, is supplied, will show the actual recovery keys in the report. Be careful where you distribute the report to if you use this
.PARAMETER showAllOSTypesInReport
By default, only the Windows OS is reported on, if for some reason you like the additional information this report gives you about devices in general, you can add this switch to show all OS types
.NOTES
filename: get-bitlockerEscrowStatusForAzureADDevices.ps1
author: Jos Lieben
blog: www.lieben.nu
created: 9/4/2019
#>
[cmdletbinding()]
Param(
$Credential,
[Switch]$showBitlockerKeysInReport,
[Switch]$showAllOSTypesInReport
)
Import-Module AzureRM.Profile
if (Get-Module -Name "AzureADPreview" -ListAvailable) {
Import-Module AzureADPreview
} elseif (Get-Module -Name "AzureAD" -ListAvailable) {
Import-Module AzureAD
}
if ($Credential) {
Try {
Connect-AzureAD -Credential $Credential -ErrorAction Stop | Out-Null
} Catch {
Write-Warning "Couldn't connect to Azure AD non-interactively, trying interactively."
Connect-AzureAD -TenantId $(($Credential.UserName.Split("@"))[1]) -ErrorAction Stop | Out-Null
}
Try {
Login-AzureRmAccount -Credential $Credential -ErrorAction Stop | Out-Null
} Catch {
Write-Warning "Couldn't connect to Azure RM non-interactively, trying interactively."
Login-AzureRmAccount -TenantId $(($Credential.UserName.Split("@"))[1]) -ErrorAction Stop | Out-Null
}
} else {
Login-AzureRmAccount -ErrorAction Stop | Out-Null
}
$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
$restHeader = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'X-Requested-With'= 'XMLHttpRequest'
'x-ms-client-request-id'= [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()
}
Write-Verbose "Connected, retrieving devices..."
$restResult = Invoke-RestMethod -Method GET -UseBasicParsing -Uri "https://main.iam.ad.ext.azure.com/api/Devices?nextLink=&queryParams=%7B%22searchText%22%3A%22%22%7D&top=15" -Headers $restHeader
$allDevices = @()
$allDevices += $restResult.value
while($restResult.nextLink){
$restResult = Invoke-RestMethod -Method GET -UseBasicParsing -Uri "https://main.iam.ad.ext.azure.com/api/Devices?nextLink=$([System.Web.HttpUtility]::UrlEncode($restResult.nextLink))&queryParams=%7B%22searchText%22%3A%22%22%7D&top=15" -Headers $restHeader
$allDevices += $restResult.value
}
Write-Verbose "Retrieved $($allDevices.Count) devices from AzureAD, processing information..."
$csvEntries = @()
foreach($device in $allDevices){
if(!$showAllOSTypesInReport -and $device.deviceOSType -notlike "Windows*"){
Continue
}
$keysKnownToAzure = $False
$osDriveEncrypted = $False
$lastKeyUploadDate = $Null
if($device.deviceOSType -eq "Windows" -and $device.bitLockerKey.Count -gt 0){
$keysKnownToAzure = $True
$keys = $device.bitLockerKey | Sort-Object -Property creationTime -Descending
if($keys.driveType -contains "Operating system drive"){
$osDriveEncrypted = $True
}
$lastKeyUploadDate = $keys[0].creationTime
if($showBitlockerKeysInReport){
$bitlockerKeys = ""
foreach($key in $device.bitlockerKey){
$bitlockerKeys += "$($key.creationTime)|$($key.driveType)|$($key.recoveryKey)|"
}
}else{
$bitlockerKeys = "HIDDEN FROM REPORT: READ INSTRUCTIONS TO REVEAL KEYS"
}
}else{
$bitlockerKeys = "NOT UPLOADED YET OR N/A"
}
$csvEntries += [PSCustomObject]@{"Name"=$device.displayName;"BitlockerKeysUploadedToAzureAD"=$keysKnownToAzure;"OS Drive encrypted"=$osDriveEncrypted;"lastKeyUploadDate"=$lastKeyUploadDate;"DeviceAccountEnabled"=$device.accountEnabled;"managed"=$device.isManaged;"ManagedBy"=$device.managedBy;"lastLogon"=$device.approximateLastLogonTimeStamp;"Owner"=$device.Owner.userPrincipalName;"bitlockerKeys"=$bitlockerKeys;"OS"=$device.deviceOSType;"OSVersion"=$device.deviceOSVersion;"Trust Type"=$device.deviceTrustType;"dirSynced"=$device.dirSyncEnabled;"Compliant"=$device.isCompliant}
}
$csvEntries | Export-Excel -workSheetName "BitlockerReport" -path "BitLockerReport.xlsx" -ClearSheet -TableName "BitlockerReport" -AutoSize -Verbose
}
get-bitlockerEscrowStatusForAzureADDevices
___________________________________________________________________________________________
iLogix Computer Solution are Microsoft MCSA's, we know Active Directory, Azure Active Directory and of course Microsoft Intune.
Call now if you need us.
Microsoft Solutions Basingstoke - Microsoft Solutions Reading - Microsoft Solutions Guildford - Microsoft Solutions Fleet - Microsoft Solutions Camberley - MCSA