How to Back Up BitLocker Keys to On-Prem AD in a Hybrid Intune Environment

By /
Backing Up BitLocker Recovery Keys to On-Prem Active Directory in a Hybrid Intune Environment

Many organizations use both Microsoft Intune and on-premises Active Directory (AD) in a hybrid setup. Intune can manage BitLocker encryption on Windows devices, but by default it stores recovery keys in Azure AD. If your help-desk relies on the AD “BitLocker Recovery” tab and you don’t want to grant them Intune rights, you need a way to back up those keys directly to on-prem AD. Unfortunately, there’s no built-in Intune feature to do this—here’s what you can and can’t do today, plus recommended workarounds.

Why On-Prem AD Matters for BitLocker

  1. Help-Desk Access: Techs use the AD Users and Computers “BitLocker Recovery” tab to retrieve keys.
  2. Security Boundaries: You may not want to grant broad Intune read rights to on-prem teams.
  3. Audit & Compliance: Some policies mandate recovery keys reside in your own AD forest.

What Intune Does Out of the Box

  • Automatic Key Backup to Azure AD: When you enable BitLocker via an Intune device configuration policy, Windows 10/11 stores the recovery key in Azure AD.
  • Hybrid Azure AD Joined Devices: Keys backup automatically to Azure AD; they do not go to on-prem AD unless you configure additional tooling.

The PowerShell Script Myth

A frequently shared script for hybrid devices uses the BackupToAAD-BitLockerKeyProtector cmdlet to push keys into Azure AD. It does not back up to on-prem AD. Running it on managed devices simply ensures the key appears in Azure AD’s device record, which Intune admins can view. It doesn’t touch your on-prem AD.

Why MBAM Isn’t a Simple Answer

Microsoft BitLocker Administration and Monitoring (MBAM) once provided on-prem key backup. However:

  • MBAM is deprecated and not supported in Windows 11.
  • Integrating MBAM with Intune requires complex co-management and still doesn’t back up Intune-provisioned keys without extra scripting.

Workarounds to Get Keys into On-Prem AD

  1. Group Policy for On-Prem AD Backup
    • For hybrid-joined devices, you can still enable the legacy Group Policy “Store recovery information in Active Directory Domain Services.”
    • This policy runs at OS startup and writes the key to on-prem AD.
    • Drawback: It doesn’t capture keys for devices encrypted by Intune after provisioning—you must re-encrypt or manually trigger a backup.
  2. Custom PowerShell + Scheduled Task
    • Deploy a script via Intune that:
      1. Retrieves the BitLocker recovery key using Get-BitLockerVolume.
      2. Uses the Active Directory PowerShell module to call Add-ADObject or Set-ADReplicationAttributeMetadata against the corresponding computer object’s msFVE-RecoveryInformation attribute.
    • Schedule the script to run once after encryption and on OS boot.
    • Drawback: You must ensure each device has network access to on-prem AD and proper rights to write attributes.
  3. Azure Automation + On-Prem Integration
    • Use Azure Automation Runbooks to pull keys from Azure AD (via Microsoft Graph) and then call into your on-prem environment over a hybrid runbook worker.
    • The runbook writes keys into on-prem AD using LDAP or RSAT cmdlets.
    • Drawback: Requires Azure Automation licensing and configuring a hybrid worker, plus securing credentials.

For most hybrid customers, the Group Policy approach remains the simplest for new devices:

  1. Enable both:
    • Intune BitLocker policy (for Azure AD backup and encryption settings)
    • On-prem Group Policy (“Store recovery information in Active Directory Domain Services”)
  2. Ensure devices join both Azure AD and your on-prem domain at first boot.
  3. Test encryption of a pilot device. Verify recovery keys appear in both Azure AD and on-prem AD.

For existing devices already encrypted by Intune, consider a one-time PowerShell script deployed via Intune:

  • The script calls Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector to ensure a protector exists.
  • It then uses Backup-ToAAD-BitLockerKeyProtector to retrieve the protector ID and password.
  • Finally, it uses the AD PowerShell module to write the key to on-prem AD under the computer object.

Wrap this logic into an Intune PowerShell profile. Once run, you’ll have keys in both Azure AD and on-prem AD without manual steps.

Conclusion

Intune alone does not back up BitLocker keys to on-prem AD. To satisfy help-desk and compliance needs, you must layer on one of these workarounds—Group Policy for new devices, or a custom PowerShell-based solution for existing devices. While a fully automated, Microsoft-supported path doesn’t exist today, these methods will ensure your recovery keys live where your team expects them.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top