Share via

How to take backup of BitLocker keys from Intune admin on multiple user systems

Nicholas Okenwa 0 Reputation points
2025-01-08T08:38:25.9266667+00:00

How can an admin take backup of BitLocker keys from Intune server

Microsoft Security | Intune | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ZhoumingDuan-MSFT 17,365 Reputation points Microsoft External Staff
    2025-01-09T06:08:21.59+00:00

    @Nicholas Okenwa, Thanks for posting in Q&A.

    From your description, I know you want to take backup of BitLocker keys from Intune admin on multiple user systems.

    Based on my research, here are some possible methods you can refer to.

    1.You can view and export BitLocker recovery keys directly from Intune portal.

    https://learn.microsoft.com/en-us/mem/configmgr/tenant-attach/bitlocker-recovery-keys

    2.You can use PowerShell script to back BitLocker recovery keys to Azure AD.

    https://github.com/jmanuelng/MEM_BitlockerKeyBackup

    https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/

    Non-official, just for reference.

    Also, you can try the method mentioned by @Zafer KAYA.

    Hope it will help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Zafer KAYA 335 Reputation points MVP
    2025-01-08T13:48:39.1733333+00:00

    Connect to Microsoft Graph

    Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

    Get all managed devices with BitLocker information

    $devices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" -Select "id,deviceName"

    foreach ($device in $devices) {

    $bitlockerKey = Get-MgDeviceManagementManagedDeviceBitLockerRecoveryKey -ManagedDeviceId $device.Id

# Export to CSV or store as needed

    }

    1. Using the Intune Portal:
    • Navigate to Endpoint Manager admin center
    • Go to Devices > All devices
    • Select a device
    • Click on "BitLocker" tab
    • View or export recovery keys
    • Using the Intune Portal:
    • Navigate to Endpoint Manager admin center
    • Go to Devices > All devices
    • Select a device
    • Click on "BitLocker" tab
    • View or export recovery keys

    PowerShell Script to export all keys:

    Install required module if not present

    Install-Module -Name Microsoft.Graph.Intune

    Connect to MS Graph

    Connect-MSGraph

    Get all Windows devices

    $devices = Get-IntuneManagedDevice | Where-Object operatingSystem -eq "Windows"

    Create array for results

    $results = @()

    foreach ($device in $devices) {

    $bitlockerKeys = Get-IntuneManagedDeviceBitLockerRecoveryKey -managedDeviceId $device.id



foreach ($key in $bitlockerKeys) {

    $results += [PSCustomObject]@{

        DeviceName = $device.deviceName

        UserPrincipalName = $device.userPrincipalName

        DriveType = $key.driveType

        RecoveryKey = $key.key

        VolumeId = $key.volumeId

        CreatedDateTime = $key.createdDateTime

    }

}

    }

    Export to CSV

    $results | Export-Csv -Path "BitLockerKeys.csv" -NoTypeInformation

    1. Using Azure Portal:
    • Azure Portal > Azure Active Directory
    • Devices > All devices
    • Select device
    • BitLocker tab
    • View recovery keys
    • Using Azure Portal:
    • Azure Portal > Azure Active Directory
    • Devices > All devices
    • Select device
    • BitLocker tab
    • View recovery keys

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.