How to use cmdlet BackupToAAD-BitLockerKeyProtector for standard users?

Dan Persing 25 Reputation points

When I run the PowerShell script to backup Bitlocker keys to Azure Ad on machines with Bitlocker already enabled, I get this error:
BackupToAAD-BitLockerKeyProtector : Exception from HRESULT: 0x801C0450 At line:1 char:1 + BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyPr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,BackupToAAD-BitLockerKeyProtector

I am able to get it to work only by signing into the machine as a domain admin, then connecting the user account under "Access work or school". I was able to get the script to work on my own machine but I am a local admin. I have tried testing with putting user as local admin, but the only way for the script to put the recovery key in Azure AD is to login as domain admin and connect the users account in "Access work or school".
Script is:
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

Is there an easier/better way to accomplish this than connecting users account to domain admin logged in under "Access work or school"? Hybrid AD, on prem and Azure, don't have InTune/Endpoint Mgmt yet.

  1. THE ROYAL EXPRESS TRAVELS 0 Reputation points

    Point to be noted now I understand

  2. Dan Persing 25 Reputation points

    Always using elevated, have tried several admin accounts. Definitely permissions related as it works when using Admin By Request software to grant user 15 min admin access.

  3. Limitless Technology 45,241 Reputation points

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    The BackupToAAD-BitLockerKeyProtector cmdlet is used to back up BitLocker recovery keys to Azure Active Directory. In order to use this cmdlet, the user must have the appropriate permissions. Standard users may not have sufficient permissions to use this cmdlet, but there are a few ways to grant them the necessary permissions:

    1. Elevated Command Prompt: Start an elevated command prompt as an administrator and run the BackupToAAD-BitLockerKeyProtector cmdlet from there.
    2. Run as Different User: Right-click on the Windows PowerShell or Command Prompt icon and select "Run as Different User." Then, enter the credentials of an account with administrative privileges.
    3. Delegated Permissions: If you want to allow standard users to run the BackupToAAD-BitLockerKeyProtector cmdlet, you can delegate the necessary permissions to them. To do this, you'll need to create a custom role in Azure AD and assign it to the users who need to run the cmdlet. The role will need to include the "Device management" permissions, such as "Manage devices."

    Please note that the steps to delegate permissions may vary based on your Azure AD environment and the version of Windows you are using. You may want to consult Microsoft's documentation or an Azure AD expert for further guidance.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

  4. Limitless Technology 45,241 Reputation points

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    The BackupToAAD-BitLockerKeyProtector cmdlet is used to back up BitLocker recovery keys to Azure Active Directory. In order to use this cmdlet, the user must have the appropriate permissions. Standard users may not have sufficient permissions to use this cmdlet, but there are a few ways to grant them the necessary permissions:

    1. Elevated Command Prompt: Start an elevated command prompt as an administrator and run the BackupToAAD-BitLockerKeyProtector cmdlet from there.
    2. Run as Different User: Right-click on the Windows PowerShell or Command Prompt icon and select "Run as Different User." Then, enter the credentials of an account with administrative privileges.
    3. Delegated Permissions: If you want to allow standard users to run the BackupToAAD-BitLockerKeyProtector cmdlet, you can delegate the necessary permissions to them. To do this, you'll need to create a custom role in Azure AD and assign it to the users who need to run the cmdlet. The role will need to include the "Device management" permissions, such as "Manage devices."

    Please note that the steps to delegate permissions may vary based on your Azure AD environment and the version of Windows you are using. You may want to consult Microsoft's documentation or an Azure AD expert for further guidance.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

  5. laughey 51 Reputation points

    Another WIN for Microsoft in the Cybersecurity space (sarcasm). I mean, Azure/Entra is so important, we better not let (trust) standard users to do the right thing and backup critical information such as BDERK.

    We're not asking the user to format the hard drive. We're not asking the user to create a recovery key. We're asking the user backup their recovery key.

    Can anyone, and by anyone, I mean anyone in Microsoftville, make this make sense?

Sign in to comment

2 answers

  1. Rafael 0 Reputation points

    Hello,

    Someone can tell me why the option to backup in AAD is missing? The user's local administrator and authenticated with "Access work or school".

    Other users do have the option to save in AAD, it only happens in 3 of them.

    When I try to run the script described above I get the following error:

    BackupToAAD-BitLockerKeyProtector : Excepción de HRESULT: 0x801C0450

    En línea: 1 Carácter: 1

    + BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyPr ...

    Thanks for your support!

    👁 bitlocker

    0 comments No comments
    Sign in to comment
  2. Akshay Kaushik 18,026 Reputation points Microsoft Employee Moderator

    @Dan Persing ,

    These policy need device admin rights, since the devices are Azure AD joined, I would recommend to assign

    ***Azure AD Joined Device Local Administrator ***role to the users and then run the script as admin without logging onto device with "domain admin credentials."

    Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.

    Please do let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer", "Upvote" and share your feedback (Yes/No) if the suggestion works as per your business need. This will help us and others in the community as well.

    1. Akshay Kaushik 18,026 Reputation points Microsoft Employee Moderator

      @Dan Persing

      Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer" and "share you feedback (Yes/No)". This will help us and others in the community as well.

      Thanks,

      Akshay Kaushik

    Sign in to comment
Sign in to answer

Your answer