Share via

How to use cmdlet BackupToAAD-BitLockerKeyProtector for standard users?

Dan Persing 25 Reputation points
2023-02-02T19:29:41.3366667+00:00

When I run the PowerShell script to backup Bitlocker keys to Azure Ad on machines with Bitlocker already enabled, I get this error:
BackupToAAD-BitLockerKeyProtector : Exception from HRESULT: 0x801C0450 At line:1 char:1 + BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyPr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,BackupToAAD-BitLockerKeyProtector

I am able to get it to work only by signing into the machine as a domain admin, then connecting the user account under "Access work or school". I was able to get the script to work on my own machine but I am a local admin. I have tried testing with putting user as local admin, but the only way for the script to put the recovery key in Azure AD is to login as domain admin and connect the users account in "Access work or school".
Script is:
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

Is there an easier/better way to accomplish this than connecting users account to domain admin logged in under "Access work or school"? Hybrid AD, on prem and Azure, don't have InTune/Endpoint Mgmt yet.

Windows for business Windows Client for IT Pros Directory services Active Directory
Microsoft Security Microsoft Entra Microsoft Entra ID
Windows for business Windows Client for IT Pros User experience Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator
    2023-02-07T06:32:18.64+00:00

    @Dan Persing ,

    These policy need device admin rights, since the devices are Azure AD joined, I would recommend to assign

    ***Azure AD Joined Device Local Administrator ***role to the users and then run the script as admin without logging onto device with "domain admin credentials."

    Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.

    Please do let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer", "Upvote" and share your feedback (Yes/No) if the suggestion works as per your business need. This will help us and others in the community as well.

  2. Rafael 0 Reputation points
    2024-11-27T15:01:07.57+00:00

    Hello,

    Someone can tell me why the option to backup in AAD is missing? The user's local administrator and authenticated with "Access work or school".

    Other users do have the option to save in AAD, it only happens in 3 of them.

    When I try to run the script described above I get the following error:

    BackupToAAD-BitLockerKeyProtector : Excepción de HRESULT: 0x801C0450

    En línea: 1 Carácter: 1

    + BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyPr ...

    Thanks for your support!

    bitlocker

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.