This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 46%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hi,
I have project to join PC's to Intune and enable Bitlocker. The PC's are already joined to active directory we will be joining them to Intune by adding the account via Access work or school account. I have the policy created and working to enable Bitlocker on the PC's that are not encrypted and the keys are backing up to Azure AD but some of the PC's are already encrypted with Bitlocker how do i backup those keys to Azure AD?
you can use the following powershell script (create using intune) to escrow the bitlocker keys to azure ad.
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId
Thanks,
Eswar
www.eskonr.com
Hi Eswar thank you for your answer.
I added the script to Powershell Scripts in Intune but it gave an error then i ran the script from Powershell and it gave the below error would you know what is causing this error?
"BackupToAAD-BitLockerKeyProtector : Cannot process argument transformation on parameter 'KeyProtectorId'. Cannot
convert value to type System.String.
At line:1 char:80
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 31%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Came here because I was getting the same error with my own script and this was the only thread I could find with this error. Turns out the PC giving this error has more than one KeyProtectorId associated with it, so I guess it was returning an array rather than a string. I fixed this with a ForEach loop, and Azure AD only picked up the most recent key:
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
foreach ($Key in $RecoveryProtector.KeyProtectorID) {
try {
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $Key
}
catch {
Write-Output "Could not back up to Azure AD. Error: "
Write-Output $_
}
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 3%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
I just tried this, and it worked, Thanks a bunch.
Maybe this can help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 76%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
I have this scenario also, though due to a different reason. We Azure AD Connect joined everything, and the recovery key was removed from AD, and isn't in AAD. Telling it to backup to the Azure AD account in the Bitlocker settings area doesn't seem to actually back it up there if the drive is encrypted already. Selecting to back up to Azure AD while decrypting and encrypting does, but that isn't practical.
For your PS script, it starts with try{ Should the try part be there?
Yes, added for error handling. If the drive is already encrypted, then the script should allow backing up in AAD. Have you tried it?
Not yet, wanted to make sure the try before the { in the first line was supposed to be there.
Hi there,
You can manually back up the BitLocker recovery key to AD if it is encrypted before joining the computer to the domain.
-Get the ID for the numerical password protector of the volume. Run the command from an elevated command prompt.
manage-bde -protectors -get c:
Use the numerical password protector’s ID from STEP 1 to backup recovery information to AD
If it is not getting uploaded after this try checking this article for more steps.
Bitlocker Keys not populating to AAD
https://learn.microsoft.com/en-us/answers/questions/35181/bitlocker-keys-not-populating-to-aad.html
-----------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
Any idea as to why all the recovery keys that were stored in AD either from the normal adds after joining the domain, and encrypting, or running the above, after Azure AD Connect, but it is also not in Azure devices area for most everyone. A couple people have it, but not very many. If bitlocker is removed/re-added, it is in Azure, but that is not practical way to get it there, so going to give @Rahul Jindal [MVP] suggestion a try when I have a chance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 59%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEW%3C/text%3E%3C/svg%3E)
This solution did it for me: https://blog.mindcore.dk/2023/11/how-to-migrate-bitlocker-keys-from-all-fixed-drives-to-microsoft-entra-id/
Fixed all my bitlocker AAD Intune issues.