Windows 11 BitLocker isn't offering to save external drive BitLocker keys to Azure AD for global admin, only for internal drives

Matthew Filler 0 Reputation points
2024-03-24T18:27:48.7866667+00:00

Windows 11 BitLocker isn't offering to save external drive BitLocker keys to the Azure Key Vault for a Global Admin with Entera Admin, but it does save it for internal drives. The PCs are joined to the Azue AD Domain and for internal drives BitLocker Manager offers to backup keys to Azure AD. On two different PCs, it doesn't offer that for external drives, either before or after encrypting. One is a smaller 232GB HDD and the other is a large SCSI hard drive with 18TB. When I tried on the encrypted drive to use:

BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword"}).KeyProtectorId

I get:

BackupToAAD-BitLockerKeyProtector : Cannot validate argument on parameter 'KeyProtectorId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

When I change $env:SystemDrive to "G:", I get:

BackupToAAD-BitLockerKeyProtector : BitLocker Drive Encryption is not enabled on this drive. Turn on BitLocker. (Exception from HRESULT: 0x80310008)

But BitLocker Manager already shows as turned on for that drive.

I set up some policies in Intune related to this, but I am not ready to go all the way to set up to Silently Enable BitLocker Encryption, as I need to control when BitLocker is running as we move from tryout towards encrypting everything. The policies didn't make any difference.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,124 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,218 questions