Cannot save Bitlocker keys to Azure AD

Matt Pollock 241 Reputation points

I recently enrolled my Win 11 machine in Intune as part of a pilot between SCCM and Intune.

The Intune encryption policy worked and encrypted the pc drives, however I noted that the back up of the recovery keys is failing with an "access denied" error in the event log.


If I attempt to back up the keys manually this also fails.

If I run the BackupToAAD-BitLockerKeyProtector cmdlet using Powershell as and admin, then this works.

So my question is how do you allow non admin accounts to backup recovery keys automatically?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,599 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,156 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
3,679 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,523 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Caleb-MSFT 6 Reputation points

    @Matt Pollock , Thanks for posting in our Q&A. From your description, I know that you have deployed encryption policy via Intune and successfully encrypted the device, but when backing up the recovery key, you get an error of access is denied was received. You try to run cmdlet using PowerShell as and admin and it worked, you want to know if there is any way to back up the recovery key automatically and not require admin rights. If there's any misunderstanding, feel free to let us know.

    Based on my experience, recovery key can also be saved to Azure AD when we silently enable BitLocker which is for standard user (non-admin user) For our issue, could you firstly confirm if we have configured silently enable BitLocker in the following link?

    Meanwhile, when a TPM startup PIN or startup key is required on a device, BitLocker can't silently enable on the device and instead requires interaction from the end user. Please ensure it is not set. And also check if the device meets the prerequisites.

    After researching, I find there’s a known issue with the similar error as yours. Please check if you have other errors existing as well. If yes, try to install the latest update to see if the issue is fixed.

    Please check the above information and if there’s any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Limitless Technology 43,226 Reputation points


    Normally, Domain admins will already have access to view the recovery keys but any other user will not have permissions to view the protected recovery keys. This permission has to be delegated down through the ‘Delegate Access’ wizard found in ‘AD User and Computers’. To do this follow the below:

    1.Log into AD Users and Computers
    2.Make a new Security group called “Bitlocker-Recovery-Admins”
    3.Add the relevant users to the group
    4.Navigate to the OU where you want to start the delegation. (The computers must sit in a OU below from starting the delegation)
    5.Right-click on the OU and select ‘Delegate Control’
    6.In the ‘Users or Groups’ step enter the newly created ‘Bitlocker-Recovery-Admins’
    7.In the ‘Tasks to Delegate’ select ‘Create a custom task to delegate’
    8.In the Active Directory Object Type dialog, select Only the following objects in the folder.
    9.In the list select msFVE-RecoveryInformation objects and click Next
    10.For permissions set as ‘Full Control’ and select finish

    Now any user in our security group will be able to view the Bitlocker recovery keys.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments