Intune Get a list of devices without a Bitlocker key registered on Intune

If you have been migrating from a local MBAM to Intune the easy way, by running a script on the client to get the bitlocker recovery key escrowed to Intune, you will need a way to check if all the devices have the key stored on Intune so you can safely decommission MBAM.

Here is a small script that gets you a csv file with what you need.

You will need to install Microsoft Graph Powershell before running and decide where you will store the output file in the first line of the script.

Connect-MgGraph -scopes "BitLockerKey.ReadBasic.All", "DeviceManagementManagedDevices.Read.All"
Select-MgProfile -Name v1.0

$BLRK=Get-MgInformationProtectionBitlockerRecoveryKey -All -Property "id, createdDateTime, deviceId" | Select-Object -Property id, createdDateTime, deviceId
$DEV=Get-MgDeviceManagementManagedDevice -All -Property "deviceName,id,azureADDeviceId" -Filter "operatingSystem eq 'Windows'" -ErrorAction Stop -ErrorVariable GraphError | Select-Object -Property deviceName, id, azureADDeviceId
$NBLRKD=$DEV | Where-Object { $PSItem.azureADDeviceId -notin $BLRK.deviceId }

$NBLRKD | Export-Csv -Path $outfile

Write-Output "The devices without a Bitlocker Recovery Key are here" $outfile


Use at your own risk 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *