Have you confirmed that the policy is set to backup keys to AAD? Have you reviewed the event logs to see if there are any errors about backing up the keys? Application and Services Logs > Microsoft > Windows > BitLocker -API > Management
Bitlocker Recovery Keys Not Backing up
My organization has recently made the move to Intune and among the several growing pains we've had with it, automating Bitlocker has been a big one. I've finally got it configured to silently encrypt devices, but its not uploading the recovery keys to our AAD like I have it set to. I can go to the machines after the fact and manually upload the keys to AAD, but that kind of defeats the purpose of a silent set up. Most of our devices are already encrypted so we are working with a small pilot group to try everything out on and all of these were preconfigured to our hybrid AAD before picking up Intune, but I don't know if that would cause an issue with this or not.
3 answers
Sort by: Most helpful
-
-
Lu Dai-MSFT 28,371 Reputation points
2021-08-27T06:32:34.427+00:00 @William Schmitt Thanks for posting in our Q&A. From your description, I know that you silently enable BitLocker on the device, but Bitlocker Recovery Keys are not saved in Azure AD. If there is anything misunderstanding, feel free to let us know.
To clarify this issue, we appreciate your help to collect some information:
- Please show the screen shots of the settings about this Bitlocker policy.
- Please make sure that the deployment status of this Bitlocker policy is succeeded.
If there is anything update, feel free to let us know.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
Jason Sandys 31,196 Reputation points Microsoft Employee
2021-08-27T15:59:20.547+00:00 Most of our devices are already encrypted
Are the devices that you are testing already encrypted as well?
Have you reviewed the BitLocker event log?
Do the systems have line of sight to a domain controller?