Bitlocker key not showing in Entra ID after encrypting devices.

Ranjit Singh 40 Reputation points
2024-04-09T01:46:43.9933333+00:00

I have deployed Bitlocker Encryption an Intune Windows Encryption configuration profile. Encryption worked fine and Drive is fully encrypted. But the issue is there is no recovery key backed up in Entra ID or Intune. If I turn ON the setting "Store recovery information in Microsoft Entra ID before enabling BitLocker" then encryption doesn't even start. However other settings are still ON which is "Save BitLocker recovery information to Microsoft Entra ID" but there is no recovery key saved.

I have checked event logs and followed everything related to known issues but nothing resolved it. Has anyone else experienced this issue and found a solution yet ? Below are my policy settings:

User's image

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,233 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,729 questions
Microsoft Intune Compliance
Microsoft Intune Compliance
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Compliance: Adhering to rules, standards, policies, and laws.
137 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,370 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hania Lian 8,121 Reputation points Microsoft Vendor
    2024-04-10T07:22:15.0733333+00:00

    Hello,

    It seems like you’re having an issue with Bitlocker recovery keys not being backed up in Azure AD or Intune. Below are some steps you could try to check:

    Check the Device Configuration: If the encryption profile was successfully applied, it must be listed under the Device configuration. You can check this on the Intune or Azure portal by navigating to Devices > All devices > (Select the affected device) > Device Configuration.

    Check the user who enrolled the device: The BitLocker key is stored in the profile of the user who enrolled the device in Azure AD. Make sure that you’re checking the correct user profile.

    Ensure device Compliance: Another potential issue could be that the device is not compliant. Hence, the configuration may not have been applied successfully. Check the compliance status of the device on the Intune portal.

    Verify your BitLocker settings: In the endpoint protection profile settings, make sure to set “Save BitLocker recovery information to AD DS” to “Require”. Also, confirm that the “BitLocker base settings” include “OS drive recovery” set to “Require”.

    Update/Re-enroll the device: Sometimes, the issue could be due to the device enrollment process. You may want to try removing the device from Azure AD and Intune, then re-enroll it.

    Check if the keys are backed up in Azure AD: Go to the Azure portal > Azure Active Directory > Devices > All devices > (select your device). Under the ‘Device’ section, the BitLocker key should be listed.

    Best Regards,

    Hania Lian

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments