Forum Discussion
Bitlocker recovery keys not syncing on OnPrem devices
Hi JimmyWork
Do you have on premise GPO? If you do, bear in mind it will always win, so make sure its disabled on devices that scoped in Intune policy.
I would also use Intune Endpoint Protection Template (like you mentioned above) and make sure the setting you attached is selected and also the one I attached.I have used the script below last year to migrate the keys into AAD, hope it helps as well
https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/
Moe
Hi JimmyWork
Do you have on premise GPO? If you do, bear in mind it will always win, so make sure its disabled on devices that scoped in Intune policy.
I would also use Intune Endpoint Protection Template (like you mentioned above) and make sure the setting you attached is selected and also the one I attached.
I have used the script below last year to migrate the keys into AAD, hope it helps as well
https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/
Moe
Also in your image you are using a Endpoint protection policy template, I have configure Bitlocker policy with a Bitlocker policy template, the option
"Store recovery information in Azure Active Directory before enabling BitLocker" is not available in my config, I do however have "Require device to back up recovery information to Azure AD"
Got it, thanks for the clarification!
I still think disabling GPO policy would remove some complexity in your case. There are multiple places for Bitlocker in MEM and I would stay on one policy from MEM.
Moe- Thank you, I'm testing a script and later on I'm uninstalling the SCCM client making the device Intune only, this should also result in bitlocker keys synced to Intune right?
- Yes, if the policy applied to the hybrid join device from Intune only.
Azure AD devices should be fine.
Moe