How to backup already enabled bitlocker keys to Azure AD with Powershell

Dan Persing 20 Reputation points
2023-02-02T19:59:28.8633333+00:00

When running a PowerShell script to backup Bitlocker keys to Azure AD on machines with Bitlocker already enabled, I get this error:

BackupToAAD-BitLockerKeyProtector : Exception from HRESULT: 0x801C0450 At line:1 char:1 + BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyPr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,BackupToAAD-BitLockerKeyProtector

I am able to get it to work only by signing into the machine as a domain admin, then connecting the user account under "Access work or school". I was able to get the script to work on my own machine but I am a local admin. I have tried testing with putting user as local admin, but the only way for the script to put the recovery key in Azure AD is to login as domain admin and connect the user acct in Access work or school.

Script is:

BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

Is there an easier/better way to accomplish this?

Just posted this and it was removed for "violating community guidelines"

If this violates community guidelines please advise, this is a legitimate question.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,665 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 26,756 Reputation points
    2023-02-07T04:08:20.12+00:00

    Hello, it sounds like you're trying to back up your Windows BitLocker key using a Windows local account. This is not possible since, as you already found, a connected Azure AD account is required so that the device is registered or joined and thus possess by itself an Azure AD identity.

    Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.