Event details

Join Intune product managers for an interactive feedback session at the Microsoft Technical Takeoff. Discuss your journey from on-premises to cloud native management focused on grouping and targeti...
Heather_Poulsen
Updated Dec 27, 2024
Technical Takeoff
iwannaknow_'s avatar
iwannaknow_
Brass Contributor
Oct 25, 2022

Bitlocker recovery key question: We have a Bitlocker config profile scoped to a security group via Intune. On some occasions, Bitlocker will activate, the machine will encrypt, but the key will not escrow to Intune for whatever reason. How can we prevent a computer from activating BL in an event where it cannot escrow? What type of reporting do we have for computers that have Bitlocker enabled, but are missing recovery keys in Intune? We have to be the bearer of bad news and tell users that their data is gone when keys do not exist.

HeyHey16K's avatar
HeyHey16K
Iron Contributor
Oct 26, 2022

We use the Intune > Endpoint Security > Disk Encryption policy which has the option for "Require device to back up recovery information to Azure AD" - if enabled it doesn't allow BitLocker to complete until the Recovery key is backed up. Does the key store in AAD but not Intune? We had problems with the keys populating in one system but not the other in the early days, so deployed a PS script to force a key rotation as a workaround.