Store Bitlocker Keys in Azure AD

Without needing InstantGo

Posted by Jan Van Meirvenne on December 20, 2016

The Azure AD Device Join is a beautiful feature allowing the secure integration of personal devices into the corporate network.

During the join-process, the device’s volumes are automatically encrypted and the recovery information is stored in Azure AD.

However, this is only the case if the device supports “InstantGo”, which is rare (currently only Surface Pro 3+).

Of course it is possible to Bitlocker the volumes and store the info in AAD manually, but this last action is only exposed through a GUI.

I used Fiddler to find out which communication occurs with AAD when this button is pressed, and found out that it is a rather easy proces to wrap in a PowerShell script.

I put this script in the Powershell Gallery. It enables TPM- and RecoveryPassword-based Bitlocker encrypton on the OS disk, and then uploads the information to Azure AD. Your device needs to be joined, and the script has to be run as an admin.

You can wrap this script in an executable so that it can be deployed through Intune or another MDM to allow for a smooth end-user experience!

Usage:

<# When the OSDrive-parameter is omitted, the SystemDrive environment variable is used #>
Enable-AADBitlocker.ps1 [-OSDrive C:]