I'm looking for the best methods to store BitLocker recovery keys across over 2,000 devices in our organization. We're considering options like SCCM, GPO, and Intune. Currently, we're using GPO for our Help Desk to access keys from Active Directory, but I'm wondering if there's a more efficient, long-term solution that would help our Help Desk manage these recovery keys effectively. Any thoughts or experiences that could guide us?
2 Answers
We backup our BitLocker keys through Intune, and we also have a system that grabs the recovery keys automatically. It's been really effective for managing our devices!
This is definitely the way to go. Automated systems like this can save a ton of time!
You could store the keys in Active Directory using GPO and make use of the 'Find BitLocker Recovery Password' function in ADUC. The user just needs to provide the first 8 characters of the Password ID, and you can find the corresponding recovery key easily. Also, if you're using Hybrid Join, you can keep the recovery keys in Azure too, giving you options through either AD or Azure.
Same here! Intune has made our lives so much easier when it comes to recovery keys.