Share via

BitLocker keys aren't syncing to Entra ID (Azure AD)

Tommy Freddle 0 Reputation points
2026-04-30T00:54:16.7766667+00:00

I've got a policy set up in Intune to silently enable BitLocker and push the recovery keys to Entra ID. The drives are encrypting fine, but when I check the user's device in the portal, there’s no recovery key backed up. I’ve checked the event viewer and it just says Failed to backup. Any ideas on what permissions or settings I might be missing?

Windows for business | Windows 365 Business
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tracy Le 7,490 Reputation points Independent Advisor
    2026-04-30T01:35:12.5366667+00:00

    Hi Tommy Freddle,

    This is a classic Intune silent encryption trap. The drive encrypts perfectly, but the key escrow fails because of either a device join state mismatch or a policy configuration sequence.

    Here is exactly how to diagnose and fix the "Failed to backup" error:

    1. Check the Device Join State (The #1 Culprit) BitLocker will never back up keys to Entra ID if the device is only "Entra ID Registered" (BYOD/Personal state). It MUST be Entra ID Joined or Hybrid Entra ID Joined.

    • Run dsregcmd /status in Command Prompt on the affected machine. Ensure AzureAdJoined is YES.

    2. The Policy Sequence Trap In your Intune Endpoint Security > Disk Encryption profile, check this specific setting under OS Drive Settings:

    Store recovery information in Azure Active Directory before enabling BitLocker: This MUST be set to Require. If it is not required, Windows encrypts the drive first, and if there is even a slight network hiccup, the backup fails and it rarely retries successfully on its own.

    3. Force the Backup Manually (The Fix) For the devices that are already encrypted but missing the key in the portal, do not decrypt them. You can forcefully push the key to Entra ID using PowerShell (Run as Administrator):

    First, get the Key Protector ID: Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty KeyProtector

    Copy the ID that has the type RecoveryPassword, then force the sync: BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId "<Insert_ID_Here>"

    Run that command, and the key will appear in the Entra ID portal within seconds. If this solves your issue, please click "Accept Answer".

    Tracy Le.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.