Backup Bitlocker Recovery Key with Intune PowerShell


This weeks blogpost is about the new PowerShell capabilities we get through the Intune Management Extension. This new capability is released in the latest Intune release from 2 weeks ago. With the ability to run PowerShell on MDM managed devices many scenarios are possible. The scenario I wanted to test is to add an additional Bitlocker Recovery key to the Bitlocker configuration. If you’ve applied an Intune Endpoint Protection policy this key is automatically saved into AzureAD. From the past I know that this is not easy because we need to run the scripts in an elevated PowerShell user session. But I accepted the challenge and I got it working. Credits also to my colleague David Omisi since he helped me developing the PowerShell script.

As I explained in my introduction configuring the Bitlocker part is not easy when doing it with PowerShell. Some of the cmdlets need to run in a elevated user session. When looking to the options we have with the Intune Management Extension we can run a PowerShell script in the system context or in the user context. It’s not possible to run a elevated script through this extension in the user context. A couple of months ago Pieter Wigleven has published a great blogpost using a scheduled task to enable and configure Bitlocker, you can find this blogpost here. I used the same idea to create this solution. Basically the solution consists of the following components:

  1. PowerShell script deployed from Intune which creates a script on the local workstation
  2. The same script creates a scheduled task which runs at user logon in an elevated user context
  3. The script which runs during the user logon checks if a recovery password is already added to the Bitlocker Configuration. If not it will add an Recovery Password Protector to the Bitlocker volume.

Because of my configured Intune Endpoint Protection policy this new key is automatically added to AzureAD. Let’s take a look how to configure this scenario within Intune:

  1. Go to the Azure Portal ( and go to the Intune section;
  2. Go to Device Configuration and then open the PowerShell scripts section;
  3. Download the script from my Github account and save it locally;
  4. Click on Add Script. Give the script a name and a description;
  5. Select the PowerShell script from the location where you saved it:
  6. Click on configure to select additional parameters. If you want to run a scrip in a users context you can configure this here. In this case we want to run the script in the system context so we don’t need to change the values:
  7. Click on Create and open the assignments section;
  8. Select the group of users to which you want to deploy this script. Currently it’s only possible to assign the scripts to user groups. Assignment to a group of devices will not work.
  9. Save the assignment and you’re done with the configuration!

Intune will now deploy the Intune Management Extension to the workstations of the users which are member of the group used in Step 8. After the deployment of the Management Extension the script will be downloaded and executed. The initial installation of the Intune Management Extension could take some time. In my tests the extension was installed within 60 minutes. Let’s take a look how this will work on the end-user his client:


As you can see in the next screenshot the Bitlocker configuration has only the TPM protector:


As soon as the script has run on the client you should see a Task added to the workstation:


On the next user logon the script should add the Recovery Password Protector:


Because of the Intune Endpoint Protection this key should also be added to AzureAD:


The script will also execute status information to the registry:


The values in this registry key represents the following statuses:

  • LastScriptRunTimeUTC: This value represents the latest run of the script;
  • NoActionTakenAtLastRun: If the script has not done anything due to the fact that the script was already executed this is value should be 1.
  • RecoveryPasswordCreated: When this value is 1 the script added a new Recovery Password Key Protector. When the value is 0 the script has not added an additional Recovery Password Protector.
  • RecoveryPasswordPresent: When this value is 0 there is no Recovery Password Key Protector in the Bitlocker configuration. If the value is 1 the Recovery Password Protector was present.

Note that above Status information only shows information of one Bitlocker volume. If you have multiple protected volumes the script will work but above status information will only reflect one volume.

As you can see we can use the PowerShell through the Intune Management Extension to configure Bitlocker on MDM devices. I want to end this blogpost with providing 2 locations where you can find status information about the Intune Management Extension:

  • Registry
  • Log File

Again thanks to my colleague David Omisi. One last note about this new PowerShell functionality:


6 thoughts on “Backup Bitlocker Recovery Key with Intune PowerShell

    • arjanvroege

      This version needs the Intune Endpoint Protection policy. In the next update it will support the scenario without the Intune Endpoint Protection policy.

      Regards, Arjan

  1. Kevin Gu

    Hello Sir, is that possible for an IT admin to export all user’s BitLocker recovery key status – the key has been uploaded to AzureAD?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.