Bitlocker recovery keys hybrid-joined devices

Bjorn Claes 21 Reputation points

We have a Bitlocker policy configured as shown in the image, but it's giving mixed results and I can't figure out why. For some devices the Recovery Key is stored in Azure AD + AD, while for other devices the Recovery Key is only stored in AD. The option: Require device to back up recovery information to Azure AD is enabled, all of the devices are encrypted and still 2/3 of the devices don't have a Recovery Key stored in AAD.
All devices are hybrid-joined, they all have the same autopilot profile, are in the same groups ...

Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,877 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,648 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 39,181 Reputation points

    Hello @Bjorn Claes

    I would recommend with manual backup and setting for the Recovery Key backup to AAD.

    Please check the instructions and blog in

    Hope this helps with your query,

    --If the reply is helpful, please Upvote and Accept as answer--

  2. Nick Hogarth 3,431 Reputation points

    If you are using the same policy across devices but getting different results, you're probably best of logging an Intune support case.

  3. Jason Sandys 31,121 Reputation points Microsoft Employee

    The most likely cause here is that the device simply hasn't completed its HAADJ process when the recovery password is initially set (which is the only time that Windows will save the recovery password). The HAADJ process depends on a user logging into the device which is not in any way guarenteed.

    Have you reviewed the BitLocker event log?