Missing Bitlocker Recovery Keys in AAD/InTune

Jon Mercer 971 Reputation points
2022-03-02T18:05:09.217+00:00

After migrating to Azure AD Hybrid, all the BitLocker recovery keys that were stored in AD were removed, and not migrated to AAD or InTune. They are all Windows 10 Business systems with 21H2 installed.

I can manually go into BitLocker, and tell it to run a backup of the BL recovery key to Azure, but 99% of our employees do not have admin rights on their system, which this process requires, and I am not going to go through and do this one at a time, since there is a lot of them.

I have InTune policy setup to silently push BL to new systems, though it is still in testing.

To ask, if I enable this for all users, will it affect the servers at all? I am presuming not, since they are not Azure AD joined, but still on-prem, but want to verify. Needing to go through these slowly because some are older. Wondering if I push the policy to everyone if it would see they are already Bitlockered, and copy over the recovery key to Azure.

Outside of this, is there a way to tell Azure or Intune to query all the computers, and record their recovery keys? I found a couple articles about this, but they all said to just run the utility to backup the Bitlocker recovery key in Windows.

Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
896 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,493 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-03-02T19:43:24.29+00:00

    Intune can't manage servers.

    BitLocker recovery passwords are only saved to AD and AAD at the time they are set (or reset). Thus, you must either rotate them (which can be done using Intune) or send a script to them to force them to save their keys to AAD. I generally prefer using the script as rotating the key for this purpose seems overkill to me. If you search the web for "BackupToAAD-BitLockerKeyProtector", which is the PowerShell cmdlet that does the heavy lifting here, you'll find lots of example scripts that do this with various levels or robustness, troubleshooting, and logging.

    1 person found this answer helpful.
    0 comments No comments

  2. Rahul Jindal [MVP] 9,276 Reputation points MVP
    2022-03-02T23:49:44.267+00:00

    +1 to @Jason Sandys . I blogged this very same process a while back. This may help.how-to-force-escrowing-of-bitlocker.html


  3. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-03-03T15:32:36.037+00:00

    Note that the 2203 technical preview (TP) was just released and includes this feature: https://learn.microsoft.com/en-us/mem/configmgr/core/get-started/2022/technical-preview-2203. Please test this out if you have the opportunity to do so.