Tuesday, April 16, 2024

Intune - Detection and Remediation scripts for BitLocker key escrow to Entra-AD (Azure AD / AAD)

The following detection and remediation scripts should fix 99% of all escrowing problems.  The biggest surprise item that I found in working with my client trying to remediate escrow problems was that if there was more than one Password Protector key the escrow would fail.  The remediation takes care of that issue (along with others).

Detection Script:

<#
.DESCRIPTION
    Script to check for BitLocker Key escrow into Azure AD
.EXAMPLE
    PowerShell.exe -ExecutionPolicy ByPass -File <ScriptName>.ps1
.NOTES
    VERSION     AUTHOR              CHANGE
    1.0         Mark Randol     Initial script creation
#>

# Check for Event 845 in BitLocker API Management Event Log over last 7 days - if contains text "was backed up successfully to your Azure AD" then Detection is complete

try {
    $Result = Get-WinEvent -FilterHashTable @{LogName = "Microsoft-Windows-BitLocker/BitLocker Management"; StartTime = (Get-Date).AddDays(-7) } | Where-Object { ($_.Id -eq "845" -and $_.Message -match "was backed up successfully to your Azure AD") } | Format-Table -Property "Message"
    $ID = $Result | Measure-Object
    if ($ID.Count -ge 1) {
        Write-Output "BitLocker Recovery Key escrow to Azure AD succeeded = Compliant"
        exit 0
    }
    # If Event is not detected then mark as 'Non Compliant' and exit with 1
    else {
        Write-Warning "BitLocker Escrow Event Missing = Non Compliant"
        exit 1
    }
}
catch {
    Write-Warning "An error occurred = Non Compliant"
    exit 1
}



Remediation Script:
<#
.DESCRIPTION
    Script to ensure that there is only one RecoveryPasswordProtector and escrow that one protector to Azure AD.
.EXAMPLE
    PowerShell.exe -ExecutionPolicy ByPass -File <ScriptName>.ps1
.NOTES
    VERSION     AUTHOR              CHANGE
    1.0         Mark Randol         Initial script creation
#>
$OutputString = $null
try {
    $KeyRemoved = $false
    do {
        $AllPasswordKeyProtectors = (Get-BitLockerVolume -MountPoint 'C:').Keyprotector | Where-Object { $_.KeyProtectorType -like "RecoveryPassword" }
        $PasswordCount = ($AllPasswordKeyProtectors | Measure-Object)
        $OutputString = "There are " + $PasswordCount.Count + " RecoveryPasswordProtector type key protectors on the drive."
        Write-Output $OutputString
        if (($AllPasswordKeyProtectors).count -gt 1){
            $OutputString = 'More than one Password Protector key exists'
            Write-Output $OutputString
            $KeyProtectorId = ($AllPasswordKeyProtectors[1]).KeyProtectorId
            Remove-BitlockerKeyProtector -MountPoint "C:" -KeyProtectorId $KeyProtectorId
            $OutputString = " "
            Write-Output $OutputString            
            $OutputString = "Extra Recovery Password Protector Removed"
            Write-Output $OutputString
            $KeyRemoved = $true
        }
    }
    until ($PasswordCount.count -eq 1)
    $Result = Get-WinEvent -FilterHashTable @{LogName = "Microsoft-Windows-BitLocker/BitLocker Management"; StartTime = (Get-Date).AddDays(-45) } | Where-Object { ($_.Id -eq "845" -and $_.Message -match "was backed up successfully to your Azure AD") } | Format-Table -Property "Message"
    $ID = $Result | Measure-Object 
    if (($ID.Count -ge 1) -and ($KeyRemoved -eq $false)) {
        $OutputString = "BitLocker Recovery Password Protector Key was already escrowed in Azure AD."
    }
    else {
        $KeyProtectorId = ((Get-BitLockerVolume -MountPoint 'C:').Keyprotector | Where-Object { $_.KeyProtectorType -like "RecoveryPassword" }).KeyProtectorId
        BackupToAAD-BitLockerKeyProtector -MountPoint 'C:' -KeyProtectorId $KeyProtectorId
        $OutputString = "BitLocker Recovery Key escrow to Azure AD succeeded"
    }
    Write-Output $OutputString
    exit 0
}
catch {
    $OutputString = "An error occurred"
    Write-Output $OutputString
    exit 1
}


No comments:

Post a Comment