This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 76%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
After migrating to Azure AD Hybrid, all the BitLocker recovery keys that were stored in AD were removed, and not migrated to AAD or InTune. They are all Windows 10 Business systems with 21H2 installed.
I can manually go into BitLocker, and tell it to run a backup of the BL recovery key to Azure, but 99% of our employees do not have admin rights on their system, which this process requires, and I am not going to go through and do this one at a time, since there is a lot of them.
I have InTune policy setup to silently push BL to new systems, though it is still in testing.
To ask, if I enable this for all users, will it affect the servers at all? I am presuming not, since they are not Azure AD joined, but still on-prem, but want to verify. Needing to go through these slowly because some are older. Wondering if I push the policy to everyone if it would see they are already Bitlockered, and copy over the recovery key to Azure.
Outside of this, is there a way to tell Azure or Intune to query all the computers, and record their recovery keys? I found a couple articles about this, but they all said to just run the utility to backup the Bitlocker recovery key in Windows.
Intune can't manage servers.
BitLocker recovery passwords are only saved to AD and AAD at the time they are set (or reset). Thus, you must either rotate them (which can be done using Intune) or send a script to them to force them to save their keys to AAD. I generally prefer using the script as rotating the key for this purpose seems overkill to me. If you search the web for "BackupToAAD-BitLockerKeyProtector", which is the PowerShell cmdlet that does the heavy lifting here, you'll find lots of example scripts that do this with various levels or robustness, troubleshooting, and logging.
+1 to @Jason Sandys . I blogged this very same process a while back. This may help.how-to-force-escrowing-of-bitlocker.html
Thanks, I am giving what you recommended in your blog a go, and will see how it goes in the test environment. Just for your info, someone left a question in that blog early February.
Thanks. I didn't get a notification on the comment. Replied now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 34%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKF%3C/text%3E%3C/svg%3E)
Many thanks for the endpoint script to backup the recovery key, deployed it yesterday and works exactly as expected which has saved us a lot of work. We have noticed one anomaly though, if I log in as a domain user, the script runs and the key appears in EM as expected. If I then log in as a local administrator on the machine, it immediately removes the recovery key from EM. Is this a know and expected behaviour?
By EM, I'm assuming that you mean Endpoint Manager but note that the recovery key is not stored in Intune, it is stored in AAD. I've never heard of or observed this behavior though. Is it a simple local admin login or were there other actions? To me, this would be very bad and if you can reproduce, I suggest you open a support case.
Note that the 2203 technical preview (TP) was just released and includes this feature: https://learn.microsoft.com/en-us/mem/configmgr/core/get-started/2022/technical-preview-2203. Please test this out if you have the opportunity to do so.
Thanks, that looks like quite the project to setup, especially with the SQL certificate, but in the long run, would make BL easier to deal with.
Sorry, please ignore my comment above. While accurate, it really has nothing to do with your question here -- I confused this thread with another.
I actually bookmarked it. Hoping it does actually go in to release, along with the mentioned dark mode. I haven't been able to keep up with TP releases as much as I used to.