Forum Discussion
BitLocker recovery key not being uploaded into Intune when using BackupToAAD-BitLockerKeyProtector
You may want to look into this Autopilot feature, which gets it to work over VPN, and would thereby give you line-of-sight to the DC that way.
Trying Out Autopilot Hybrid Join Over VPN In Your Azure Lab
Please like or mark this thread as answered if it's helpful, thanks!
If the device is enrolled in Intune, you should try to create a BitLocker policy for it and enable the option to require Azure AD Key Backup, per this article:
Best Practices for Deploying BitLocker with Intune
If doing a script, it should be run elevated as administrator, so it can access the system. Best practice is to set the policy and see if that method works, then to use the script as the fallback. It won't use the Management Extensions, it leverages WMI and .NET because BitLocker support is baked in at the OS-level.
It's possible it might not work as a local user though, because that account might not have a reference in Azure AD, and it needs credentials to connect. For Native Azure AD Joined devices, instead of logging in as ".\localuser" you can try logging in as "user @ clouddomain . com" - the cmdlet should be able to work under the cloud account context. Logging in as DOMAIN\user will leverage Hybrid Azure AD Join, which is why it works that way.
Also confirm the device is properly registered in Azure AD and Intune via DsRegCmd.exe /status.
Please like or mark this thread as answered if it's helpful, thanks!
Please like or mark this thread as answered if it's helpful, thanks!
Hey Kurt, thanks for the info on the WMI/.NET backend. I was scratching my head trying to understand the workings of that cmdlet.
We tried deploying the Intune encryption policy to get the key backed up but no luck, same story with the script running as system. Looking in event viewer shows the following after running the script:
Event 846: Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD. You need to be signed into Windows with a Microsoft account to save your recovery key.
I didn't mention originally but our devices are HAADJ without line of sight to the DC, I think this is our issue here. It's a shame Intune can't escrow the key for us through the mdm enrolment profile.
You may want to look into this Autopilot feature, which gets it to work over VPN, and would thereby give you line-of-sight to the DC that way.
Trying Out Autopilot Hybrid Join Over VPN In Your Azure Lab
Please like or mark this thread as answered if it's helpful, thanks!