-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathInvoke-EscrowBitlockerToAAD.ps1
83 lines (62 loc) · 2.53 KB
/
Invoke-EscrowBitlockerToAAD.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<#
.SYNOPSIS
Escrow (Backup) the existing Bitlocker key protectors to Azure AD (Intune)
.DESCRIPTION
This script will verify the presence of existing recovery keys and have them escrowed (backed up) to Azure AD
Great for switching away from MBAM on-prem to using Intune and Azure AD for Bitlocker key management
.INPUTS
None
.NOTES
Version : 1.0
Author : Michael Mardahl
Twitter : @michael_mardahl
Blogging on : www.msendpointmgr.com
Creation Date : 11 January 2021
Purpose/Change: Initial script
License : MIT (Leave author credits)
.EXAMPLE
Execute script as system or administrator
.\Invoke-EscrowBitlockerToAAD.ps1
.NOTES
If there is a policy mismatch, then you might get errors from the built-in cmdlet BackupToAAD-BitLockerKeyProtector.
So I have wrapped the cmdlet in a try/catch in order to supress the error. This means that you will have to manually verify that the key was actually escrowed.
Check MSEndpointMgr.com for solutions to get reporting stats on this.
#>
#region declarations
$DriveLetter = $env:SystemDrive
#endregion declarations
#region functions
function Test-Bitlocker ($BitlockerDrive) {
#Tests the drive for existing Bitlocker keyprotectors
try {
Get-BitLockerVolume -MountPoint $BitlockerDrive -ErrorAction Stop
} catch {
Write-Output "Bitlocker was not found protecting the $BitlockerDrive drive. Terminating script!"
exit 0
}
}
function Get-KeyProtectorId ($BitlockerDrive) {
#fetches the key protector ID of the drive
$BitLockerVolume = Get-BitLockerVolume -MountPoint $BitlockerDrive
$KeyProtector = $BitLockerVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
return $KeyProtector.KeyProtectorId
}
function Invoke-BitlockerEscrow ($BitlockerDrive,$BitlockerKey) {
#Escrow the key into Azure AD
foreach ($Key in $BitlockerKey) {
try {
BackupToAAD-BitLockerKeyProtector -MountPoint $BitlockerDrive -KeyProtectorId $Key #-ErrorAction SilentlyContinue
Write-Output "Attempted to escrow key in Azure AD - Please verify manually!"
} catch {
Write-Error "This should never have happend? Debug me!"
exit 1
}
}
exit 0
}
#endregion functions
#region execute
Test-Bitlocker -BitlockerDrive $DriveLetter
$KeyProtectorId = Get-KeyProtectorId -BitlockerDrive $DriveLetter
Invoke-BitlockerEscrow -BitlockerDrive $DriveLetter -BitlockerKey $KeyProtectorId
#endregion execute