How to take backup of BitLocker keys from Intune admin on multiple user systems

Nicholas Okenwa 0 Reputation points
2025-01-08T08:38:25.9266667+00:00

How can an admin take backup of BitLocker keys from Intune server

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,470 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Zafer KAYA 20 Reputation points MVP
    2025-01-08T13:48:39.1733333+00:00

    Connect to Microsoft Graph

    Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

    Get all managed devices with BitLocker information

    $devices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" -Select "id,deviceName"

    foreach ($device in $devices) {

    $bitlockerKey = Get-MgDeviceManagementManagedDeviceBitLockerRecoveryKey -ManagedDeviceId $device.Id
    
    # Export to CSV or store as needed
    

    }

    1. Using the Intune Portal:
    • Navigate to Endpoint Manager admin center
    • Go to Devices > All devices
    • Select a device
    • Click on "BitLocker" tab
    • View or export recovery keys
    • Using the Intune Portal:
    • Navigate to Endpoint Manager admin center
    • Go to Devices > All devices
    • Select a device
    • Click on "BitLocker" tab
    • View or export recovery keys

    PowerShell Script to export all keys:

    Install required module if not present

    Install-Module -Name Microsoft.Graph.Intune

    Connect to MS Graph

    Connect-MSGraph

    Get all Windows devices

    $devices = Get-IntuneManagedDevice | Where-Object operatingSystem -eq "Windows"

    Create array for results

    $results = @()

    foreach ($device in $devices) {

    $bitlockerKeys = Get-IntuneManagedDeviceBitLockerRecoveryKey -managedDeviceId $device.id
    
    
    
    foreach ($key in $bitlockerKeys) {
    
        $results += [PSCustomObject]@{
    
            DeviceName = $device.deviceName
    
            UserPrincipalName = $device.userPrincipalName
    
            DriveType = $key.driveType
    
            RecoveryKey = $key.key
    
            VolumeId = $key.volumeId
    
            CreatedDateTime = $key.createdDateTime
    
        }
    
    }
    

    }

    Export to CSV

    $results | Export-Csv -Path "BitLockerKeys.csv" -NoTypeInformation

    1. Using Azure Portal:
    • Azure Portal > Azure Active Directory
    • Devices > All devices
    • Select device
    • BitLocker tab
    • View recovery keys
    • Using Azure Portal:
    • Azure Portal > Azure Active Directory
    • Devices > All devices
    • Select device
    • BitLocker tab
    • View recovery keys
    0 comments No comments

  2. ZhoumingDuan-MSFT 15,345 Reputation points Microsoft Vendor
    2025-01-09T06:08:21.59+00:00

    @Nicholas Okenwa, Thanks for posting in Q&A.

    From your description, I know you want to take backup of BitLocker keys from Intune admin on multiple user systems.

    Based on my research, here are some possible methods you can refer to.

    1.You can view and export BitLocker recovery keys directly from Intune portal.

    https://learn.microsoft.com/en-us/mem/configmgr/tenant-attach/bitlocker-recovery-keys

    2.You can use PowerShell script to back BitLocker recovery keys to Azure AD.

    https://github.com/jmanuelng/MEM_BitlockerKeyBackup

    https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/

    Non-official, just for reference.

    Also, you can try the method mentioned by @Zafer KAYA.

    Hope it will help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.