Forum Discussion
Solved
Bitlocker recovery keys not syncing on OnPrem devices
Steps U do.
Move devices in SCCM into a collection where Intune controls everything, devices are on-prem.
All policy's work, but the Bitlocker recovery keys does not sync from AD to Intune.
If I manually go to the device I can trigger a Bitlocker key rotation and one key shows up. Fully AAD devices that went thru Autopilot has two recover keys in Intune.
Not sure how everyone is handling this but I did find a remediation script.
https://call4cloud.nl/2021/02/b-for-bitlocker/
But is there any other way of handling this and why is it happening?
Hi JimmyWork
Do you have on premise GPO? If you do, bear in mind it will always win, so make sure its disabled on devices that scoped in Intune policy.
I would also use Intune Endpoint Protection Template (like you mentioned above) and make sure the setting you attached is selected and also the one I attached.I have used the script below last year to migrate the keys into AAD, hope it helps as well
https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/
Moe
13 Replies
Hi JimmyWork
Do you have on premise GPO? If you do, bear in mind it will always win, so make sure its disabled on devices that scoped in Intune policy.
I would also use Intune Endpoint Protection Template (like you mentioned above) and make sure the setting you attached is selected and also the one I attached.I have used the script below last year to migrate the keys into AAD, hope it helps as well
https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/
Moe
Also in your image you are using a Endpoint protection policy template, I have configure Bitlocker policy with a Bitlocker policy template, the option
"Store recovery information in Azure Active Directory before enabling BitLocker" is not available in my config, I do however have "Require device to back up recovery information to Azure AD"
