Hybrid Azure AD Join Devices not showing BitLocker recovery codes

Brass Contributor



We have been deploying a lot of devices for a client using AutoPilot.

They have a relatively simple setup. Only a couple of configuration profiles and applications.


One of the configuration profiles is to enable BitLocker on the machines.

The configuration has been working perfectly (or so we thought). 
Today I noticed that the majority of the devices don't show BitLocker recovery codes in Intune Devices or Azure AD Devices.


The configuration profile is showing as successful on almost all of the devices, but most of the ones showing successful don't have the BitLocker recovery codes.


We've found a manual solution which is to open Manage BitLocker and use the Save recovery code to cloud account. This pushes the recovery code to the device in Azure AD.


Unfortunately, this is not the expected behaviour of the configuration profile - all encrypted devices should be showing their BitLocker recovery codes.


Does anyone know how we can resolve this or know why this is happening this way?



1 Reply

@Unit2777 I have the similar setup and when contacted MS, they mentioned that this is by design if we allow standard users to do the endpoint encryption.




With this setup, the only way is to manually upload the key to cloud. I am curious to know from other if they found any options