Share via

How can I upload or update the values of the Bitlocker Recovery keys into Entra ID or Intune?

EnterpriseArchitect 5,406 Reputation points
2024-07-22T05:59:30.5633333+00:00

I have most of my computers encrypted by Bitlocker by using the AD Group Policy settings.

I have now configured the Hybrid Entra ID and Intune enrolled all of my workstations, however, I still cannot see the Recovery keys under

Entra ID: https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/recoveryKeys/menuId/recoveryKeys

Intune: https://intune.microsoft.com/#view/Microsoft_Intune_Devices/DeviceSettingsMenuBlade/

My Account: https://myaccount.microsoft.com/device-list

What are the steps I must take to register or update them all ?

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
429 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,919 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,372 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,180 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,052 questions
0 comments
Accepted answer
  1. Raja Pothuraju 7,135 Reputation points Microsoft Vendor
    2024-07-25T16:10:50.6633333+00:00

    Hello @EnterpriseArchitect,

    Thank you for posting your query on Microsoft Q&A.

    As you mentioned, I see you are unable to see the Bitlocker Recovery keys under Entra ID, Intune and My account blade. Looking for steps to achieve that with PowerShell script in Intune.

    To set this up in Intune, follow the steps below.

    1. Sign-in to the Microsoft Intune admin center portal.
    2. Browse to Devices – Windows – Scripts and Remediations - Platform Scripts
    3. Click on Add
    4. Give a Name
    5. Select the script
    6. Set Run this script using the logged on credentials as No
    7. Set Enforce script signature check to No
    8. Set Run script in 64 bit PowerShell Host as Yes
    9. Deploy to the user\device based group.

    Once the script executes, the devices should escrow the recovery key to AAD almost immediately. You can check under Devices->Windows->Recovery Keys Or AAD->Devices.

    Please find the PowerShell script below to upload in Intune Portal.

    try{
$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive
        $KPID=""
        foreach($KP in $BitlockerVol.KeyProtector){
            if($KP.KeyProtectorType -eq "RecoveryPassword"){
                $KPID=$KP.KeyProtectorId
                break;
            }
        }
       $output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID
return $true
}
catch{
     return $false
}

    Reference:

    https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension

    https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/operations-guide?tabs=powershell

    https://rahuljindalmyit.blogspot.com/2021/06/how-to-force-escrowing-of-bitlocker.html

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Jindal [MVP] 10,196 Reputation points MVP
    2024-07-22T13:28:38.48+00:00

    Well for forcing the back up in Entra ID, you can refer to this link - https://rahuljindalmyit.blogspot.com/2021/06/how-to-force-escrowing-of-bitlocker.html

    However, as suggested earlier, move the management of BitLocker to Intune. This official document is a good place to start - https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices

    1 person found this answer helpful.
  2. Rahul Jindal [MVP] 10,196 Reputation points MVP
    2024-07-22T06:49:26.64+00:00

    Does your BitLocker policies allow escrowing of recovery keys in Entra? This is what I would do - Move your BitLocker management policies to Intune which will force the backing up of the keys in Entra. You can also use a script to force the backup.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.