Intune BitLocker Recovery Key Not Escrowed

- Drive is encrypted but recovery key is unavailable in Intune/Entra. - Compliance checks fail on encryption escrow requirement. - Security team cannot verify recoverability for endpoint.

- BitLocker policy applied after encryption occurred outside managed flow. - Escrow operation failed during key rotation or device registration issue. - Protector configuration is not aligned with escrow policy requirements.

Document whether the issue affects one user, multiple users, or multiple devices. Confirm exact error messages, recent changes (password reset, update, network change), and whether the same issue reproduces in web vs desktop workflows where applicable.

Confirm the user is signed in with the correct corporate account, system time is accurate, network/VPN connectivity is stable, and the application is not running in offline or limited mode.

Use the command snippets below to collect non-destructive diagnostics. Capture output in the ticket when escalation may be required. Avoid deleting profiles, cached credentials, or managed app data unless the runbook or admin approval explicitly allows it.

- Confirm BitLocker status, protector configuration, and join state. - Validate encryption policy assignment and key escrow settings in Intune. - Use approved enterprise runbook for controlled key rotation and escrow verification. - Record audit evidence in ticket once escrow is confirmed.