How can I upload or update the values of the Bitlocker Recovery keys into Entra ID or Intune?

Question

I have most of my computers encrypted by Bitlocker by using the AD Group Policy settings.

I have now configured the Hybrid Entra ID and Intune enrolled all of my workstations, however, I still cannot see the Recovery keys under

Entra ID: https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/recoveryKeys/menuId/recoveryKeys

Intune: https://intune.microsoft.com/#view/Microsoft_Intune_Devices/DeviceSettingsMenuBlade/

My Account: https://myaccount.microsoft.com/device-list

What are the steps I must take to register or update them all ?

Answer 1

Hello @EnterpriseArchitect,

Thank you for posting your query on Microsoft Q&A.

As you mentioned, I see you are unable to see the Bitlocker Recovery keys under Entra ID, Intune and My account blade. Looking for steps to achieve that with PowerShell script in Intune.

To set this up in Intune, follow the steps below.

1. Sign-in to the Microsoft Intune admin center portal.
2. Browse to Devices – Windows – Scripts and Remediations - Platform Scripts
3. Click on Add
4. Give a Name
5. Select the script
6. Set Run this script using the logged on credentials as No
7. Set Enforce script signature check to No
8. Set Run script in 64 bit PowerShell Host as Yes
9. Deploy to the user\device based group.

Once the script executes, the devices should escrow the recovery key to AAD almost immediately. You can check under Devices->Windows->Recovery Keys Or AAD->Devices.

Please find the PowerShell script below to upload in Intune Portal.

try{
$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive
        $KPID=""
        foreach($KP in $BitlockerVol.KeyProtector){
            if($KP.KeyProtectorType -eq "RecoveryPassword"){
                $KPID=$KP.KeyProtectorId
                break;
            }
        }
       $output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID
return $true
}
catch{
     return $false
}

Reference:

https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/operations-guide?tabs=powershell

https://rahuljindalmyit.blogspot.com/2021/06/how-to-force-escrowing-of-bitlocker.html

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thanks,
Raja Pothuraju.

Answer 2

Well for forcing the back up in Entra ID, you can refer to this link - https://rahuljindalmyit.blogspot.com/2021/06/how-to-force-escrowing-of-bitlocker.html

However, as suggested earlier, move the management of BitLocker to Intune. This official document is a good place to start - https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices

Answer 3

Does your BitLocker policies allow escrowing of recovery keys in Entra? This is what I would do - Move your BitLocker management policies to Intune which will force the backing up of the keys in Entra. You can also use a script to force the backup.