Enable BitLocker (TpmPIN) and store recovery key in ADDS using PS script executed during Autopilot (Hybrid Azure AD join)

Bojan Zivkovic 441 Reputation points
2021-06-03T15:50:20.84+00:00

Hi, is it doable to execute PS script which enables BitLocker (TpmPIN) and stores recovery key in ADDS during Autopilot (Hybrid Azure AD join)? If so what needs to be done? Asking this because natively Autopilot at the moment is not natively capable of silently encrypting OS drive with PIN. Ideally I would like to store recovery key in both ADDS and AAD if that is even possible using PS script.

If there is some MS supported way of encrypting BitLocker (TpmPIN) and store recovery key in both AD on-prem and Azure AD during Autopilot (Hybrid Azure AD join scenario) that would be awesome.

Thank you in advance.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
460 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Cici Wu-MSFT 1,176 Reputation points
    2021-06-04T07:14:01.937+00:00

    We have met similar issue before that end users have also provide a feedback in Intune UserVoice. You can try the PS script as mentioned and see if it persists.

    $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
    $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
    
    Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
    BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
    

    Here is the UserVoice link: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34015732-bitlocker-recovery-keys-in-a-hybrid-aad-joined-dev

    0 comments No comments

  2. Bojan Zivkovic 441 Reputation points
    2021-06-04T12:52:15.897+00:00

    What about encrypting drive during autopilot using something like:

    $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

    and adding code you posted in the same script? If am not mistaken script must be packaged as Win32 app and deployed during autopilot?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.