Exporting BitLocker, LAPS, and FileVault Keys from Intune using Azure DevOps pipeline

Ondrej SebelaOndrej Sebela
4 min read

Keeping a secure, version-controlled backup of your Intune-managed device data, including BitLocker, LAPS, and FileVault keys, is a best practice for any modern IT team. In this post, I’ll guide you through an Azure DevOps pipeline that automates the daily export of device security data from Microsoft Intune and Azure AD, validates it, and commits the data to your private Azure DevOps repository.

Meet the device-backup-pipeline pipeline 🙂


Why Automate Device Backups?

  • Disaster Recovery: Quickly restore device secrets if Intune or Azure AD data is lost by accident or targeted attack.

  • Audit & Compliance: Maintain a historical record of device security data.

  • Change Tracking: Easily see when device keys or credentials change.


Pipeline Overview

This pipeline runs every day at 5 am and performs the following steps:

  1. Authenticates to Microsoft Graph using a secure service connection (Workload Federating identity).

  2. Exports device data (including BitLocker, LAPS, and FileVault keys) from Intune/Azure AD.

  3. Validates the backup to ensure all critical data is present.

  4. Exports each device’s data as a JSON file organized by OS and device serial number.

  5. Commits and tags the backup in your private Azure DevOps repository.


Benefits

  • Fully automated: No manual steps required.

  • Version-controlled: Every backup is committed and tagged in Azure DevOps repository.

  • Secure: Uses Azure DevOps service connections a.k.a. no stored secrets + supports AES encryption for the stored secrets

  • Auditable: All device security data is available for review and recovery.

  • Customizable: You choose what to back up


How to set this up

The pipeline device-backup-pipeline.yml itself is stored in my GitHub.

In general, you need to:

  • Create a private Azure DevOps repository

  • Set up a new pipeline (based on device-backup-pipeline.yml content)

  • Give the pipeline account Contribute permission, so it can push changes to the repository

  • Create a Workload Federating identity (WIF) so that the running pipeline has access to Intune and Azure via the Graph Api

If you want to encrypt the stored secrets:

  • Create a strong password and save it to Azure KeyVault

  • Grant the WIF identity the Key Vault Secrets User role over the created secret

I will not go into detail about how to create an Azure DevOps repository, create the pipeline, or grant permissions to it. It’s all described in one of my previous posts already.

The only two things that are specific to this pipeline are:

  • Graph Api permissions

  • Pipeline variables that need to be set to fit your environment

What Graph Api permissions need to be granted to the pipeline service connection principal:

  • DeviceManagementManagedDevices.Read.All

  • BitlockerKey.Read.All

  • DeviceLocalCredential.Read.All

  • DeviceManagementConfiguration.Read.All

  • DeviceManagementManagedDevices.PrivilegedOperations.All

  • User.ReadBasic.All

  • Device.Read.All

Pipeline variables

Before you can run the pipeline, you have to set the variables section! Each variable is commented, so it should be quite straightforward.

💡
I highly recommend that you set up email notifications in case the pipeline exits unexpectedly. So you know your backup isn’t working correctly! Moreover, the function fails on purpose when there are no devices found, nor BitLocker keys, nor LAPS nor FileVault keys, because it probably means there is something wrong going.

Security concerns

This repository will contain highly sensitive data, so you must be very cautious about who has access, where the data is stored, and other security considerations.

There are some general tips

  • Use the built-in encryption feature

    • AES encryption will protect the secrets, just make sure only the right persons have access to the KeyVault encryption key!
  • Make sure the repository is set to private (not public)

  • Make sure only relevant people have access to the repository

  • Use a self-hosted agent (on a Tier-0 server) to run the pipeline


What the backup structure looks like

The backup structure looks like this 👇

So you have device data exported as JSON files, separated into two folders MacOS and Windows based on the device operating system. The device serial number is considered a unique identifier; hence, it is used as the JSON file name.


FAQ

  • How to decrypt a secret?

    • Just use the following PowerShell code

      •     $encryptionKey = Get-AzKeyVaultSecret -VaultName "<someKeyVaultName>" -Name "<someSecretName>"
            $encryptionKeyValue = $encryptionKey.SecretValue | ConvertFrom-SecureString -AsPlainText
            $decryptedText = ConvertFrom-EncryptedString -EncryptedText "<encryptedSecret>" -Key $encryptionKeyValue
        
  • What happens when the device gets deleted from the Azure/Intune

    • Device backup a.k.a. <deviceSerial>.json file will stay intact in your backup
  • What happens when the device gets reinstalled?

    • The device backup (JSON file) will be updated with the new information
  • What if I need to see what the LAPS password was set to a week ago (I restored the device from the backup, or for any other reason)

    • Use the History tab in the DevOps portal to show the previous device backup versions


Conclusion

With this Azure DevOps pipeline, you can rest easy knowing your Intune device security data is safely backed up, versioned, and ready for disaster recovery or audit. Adapt the scripts to your environment, and you’ll have a powerful, hands-off backup solution for your device secrets.

0
Subscribe to my newsletter

Read articles from Ondrej Sebela directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ondrej Sebela
Ondrej Sebela

I work as System Administrator for more than 15 years now and I love to make my life easier by automating work & personal stuff via PowerShell (even silly things like food recipes list generation).