1,508 questions
You can also use the Endpoint protection template for that I think.
Configuration settings > Windows Encryption
Backup BitLocker Keys to Azure AD
JADR_KT
21
Reputation points
Is it possible to backup BitLocker recovery keys to Azure AD without an elevated privilege? Because right now, we have several devices that do not have recovery keys uploaded.
There is a Powershell script to upload this but it still requires to run as administrator. I want to deploy a script to a group of devices. I don't want to go to each one and backup their recovery keys manually.
Microsoft Security Intune Enrollment
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 48%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB5%3C/text%3E%3C/svg%3E)
BruceFincham-5216 11 Reputation points2022-04-25T20:39:40.637+00:00 I had a similar problem. We are using Intune and the recovery keys would not get uploaded. In my scenario I had more than one account registered under the Accounts section I think AD did not know which one to back up to. Once I removed one the backup of the recovery key to AD worked
Sign in to comment
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 42%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Reinout Dorreboom 106 Reputation points2021-10-06T11:51:14.973+00:00 -
Nur Atikah Zainuldin 1 Reputation point2023-01-05T01:57:14.93+00:00 From my experience, Endpoint Security>Disk Encryption policy didnt work. You need to use BitLocker policy from Device Configuration>Endpoint Protection>Windows Encryption.
Sign in to comment -
-
Paul van Berlo 826 Reputation points2021-10-06T07:35:23.56+00:00 Uploading the recovery keys is done as part of having the device (Hybrid) Azure AD Joined and managed in Microsoft Endpoint Manager (Intune), and should not require any additional permissions. I found a blog which may contain some more information that could be helpful.
-
JADR_KT 21 Reputation points
2021-10-06T07:54:55.157+00:00 Thanks. Need help with one step.
How do I "3. Choose to run the script as SYSTEM then assign it to the devices for which you need to save the recovery key."?
-
Paul van Berlo 826 Reputation points
2021-10-06T11:19:08.987+00:00 You're basically looking for the highlighted setting below. If this is set to YES - the script will run as the signed in user, if it's set to NO - the script will run under the system context.
-
Reinout Dorreboom 106 Reputation points
2021-10-06T17:38:30.05+00:00 In my experience the recovery keys are only uploaded to Azure AD if you join the computers via Autopilot or do that before you Bitlocker them. If you already have Bitlockered them and that (manually) add them to Azure AD the recovery keys are not saved to Azure AD.
We created a policy for that.
-
JADR_KT 21 Reputation points
2021-10-07T05:59:06.843+00:00 What's the policy you created to go around this issue?
I have not seen any positive results with the script although it says Succeeded in every devices I added and deployed to.
-
JADR_KT 21 Reputation points
2021-10-10T06:21:29.523+00:00 Alright, I did this and status for every device I applied the script to says Succeeded. However, even after a few days waiting, I still don't see BitLocker Recovery Keys uploaded. Did I do something wrong?
-
Paul van Berlo 826 Reputation points
2021-10-10T08:55:56.767+00:00 I can't really say if you did something wrong :-) Can you not use the default Intune endpoint protection configuration policy to upload bitlocker keys in your case? That would always be best. See the comment from Reinout below.
-
Reinout Dorreboom 106 Reputation points
2021-10-11T06:39:09.237+00:00 we use a configuration profile (the endpoint protection template (see also my answer below)
Sign in to comment -