This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 34%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWS%3C/text%3E%3C/svg%3E)
My organization has recently made the move to Intune and among the several growing pains we've had with it, automating Bitlocker has been a big one. I've finally got it configured to silently encrypt devices, but its not uploading the recovery keys to our AAD like I have it set to. I can go to the machines after the fact and manually upload the keys to AAD, but that kind of defeats the purpose of a silent set up. Most of our devices are already encrypted so we are working with a small pilot group to try everything out on and all of these were preconfigured to our hybrid AAD before picking up Intune, but I don't know if that would cause an issue with this or not.
Are the devices escrowing the keys to AAD at all? Are you Bitlocker policies setup correctly as pointed out by @Nick Hogarth ? You may refer to the links below for reference.
intune-bitlocker-silent-and-automatic.html
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
Have you confirmed that the policy is set to backup keys to AAD? Have you reviewed the event logs to see if there are any errors about backing up the keys? Application and Services Logs > Microsoft > Windows > BitLocker -API > Management
Yes I have verified that the setting to upload the keys to AAD is active, I shared some screenshots with another user if you want to see. I just checked the event logs for that computer but no, there weren't any events saying it even tried to upload the key. It generated the key but after that it did nothing. However, sometime last week I noticed we have been getting event IDs 304 and 307 very regularly for the past who knows how many days but I don't know if these two issues are related.
@William Schmitt Thanks for posting in our Q&A. From your description, I know that you silently enable BitLocker on the device, but Bitlocker Recovery Keys are not saved in Azure AD. If there is anything misunderstanding, feel free to let us know.
To clarify this issue, we appreciate your help to collect some information:
If there is anything update, feel free to let us know.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Yeah you are correct, here are the configuration settings
These are the settings from the configuration profiles. Everything below "Allow standard users to enable" is not configured to avoid conflicts with the settings in Endpoint Security.
These are the settings related to recovery options in the Endpoint Security profiles. I can't get the entire list of settings in a single screenshot so let me know if you want more from the other sections
I would have preferred to only use the Endpoint Security profile but unfortunately the only way for me to get it to be silent was to activate those two settings in the config profiles to keep that popup from coming up
@William Schmitt From the settings, it seems normal. It is needed to check more background information, such as log analysis. With Q&A limitation, it is suggested to create an online support ticket to handle this issue more effectively. It is free. Here is the online support link and hope it helpful.
https://learn.microsoft.com/en-us/mem/get-support
Thanks for understanding.
Most of our devices are already encrypted
Are the devices that you are testing already encrypted as well?
Have you reviewed the BitLocker event log?
Do the systems have line of sight to a domain controller?
The devices we're testing Intune with had Bitlocker turned off prior to enrollment so we could test configurations and stuff. I did review the Bitlocker logs on the devices and they all stop at generating the recovery key. As for line of sight, you'll have to forgive me but I'm only a few months out of college and still learning a lot, especially about Microsoft products and networking, so I'm not exactly sure what that means. I'll look into it though.