Exporting BitLocker, LAPS, and FileVault Keys from Intune using Azure DevOps pipeline


Keeping a secure, version-controlled backup of your Intune-managed device data, including BitLocker, LAPS, and FileVault keys, is a best practice for any modern IT team. In this post, I’ll guide you through an Azure DevOps pipeline that automates the daily export of device security data from Microsoft Intune and Azure AD, validates it, and commits the data to your private Azure DevOps repository.
Meet the device-backup-pipeline pipeline 🙂
Why Automate Device Backups?
Disaster Recovery: Quickly restore device secrets if Intune or Azure AD data is lost by accident or targeted attack.
Audit & Compliance: Maintain a historical record of device security data.
Change Tracking: Easily see when device keys or credentials change.
Pipeline Overview
This pipeline runs every day at 5 am and performs the following steps:
Authenticates to Microsoft Graph using a secure service connection (Workload Federating identity).
Exports device data (including BitLocker, LAPS, and FileVault keys) from Intune/Azure AD.
Validates the backup to ensure all critical data is present.
Exports each device’s data as a JSON file organized by OS and device serial number.
Commits and tags the backup in your private Azure DevOps repository.
Benefits
Fully automated: No manual steps required.
Version-controlled: Every backup is committed and tagged in Azure DevOps repository.
Secure: Uses Azure DevOps service connections a.k.a. no stored secrets + supports AES encryption for the stored secrets
Auditable: All device security data is available for review and recovery.
Customizable: You choose what to back up
How to set this up
The pipeline device-backup-pipeline.yml
itself is stored in my GitHub.
In general, you need to:
Create a private Azure DevOps repository
Set up a new pipeline (based on
device-backup-pipeline.yml
content)Give the pipeline account Contribute permission, so it can push changes to the repository
Create a Workload Federating identity (WIF) so that the running pipeline has access to Intune and Azure via the Graph Api
If you want to encrypt the stored secrets:
Create a strong password and save it to Azure KeyVault
Grant the WIF identity the Key Vault Secrets User role over the created secret
I will not go into detail about how to create an Azure DevOps repository, create the pipeline, or grant permissions to it. It’s all described in one of my previous posts already.
The only two things that are specific to this pipeline are:
Graph Api permissions
Pipeline variables that need to be set to fit your environment
What Graph Api permissions need to be granted to the pipeline service connection principal:
DeviceManagementManagedDevices.Read.All
BitlockerKey.Read.All
DeviceLocalCredential.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.PrivilegedOperations.All
User.ReadBasic.All
Device.Read.All
Pipeline variables
Before you can run the pipeline, you have to set the variables section! Each variable is commented, so it should be quite straightforward.
Security concerns
This repository will contain highly sensitive data, so you must be very cautious about who has access, where the data is stored, and other security considerations.
There are some general tips
Use the built-in encryption feature
- AES encryption will protect the secrets, just make sure only the right persons have access to the KeyVault encryption key!
Make sure the repository is set to private (not public)
Make sure only relevant people have access to the repository
Use a self-hosted agent (on a Tier-0 server) to run the pipeline
What the backup structure looks like
The backup structure looks like this 👇
So you have device data exported as JSON files, separated into two folders MacOS
and Windows
based on the device operating system. The device serial number is considered a unique identifier; hence, it is used as the JSON file name.
FAQ
How to decrypt a secret?
Just use the following PowerShell code
$encryptionKey = Get-AzKeyVaultSecret -VaultName "<someKeyVaultName>" -Name "<someSecretName>" $encryptionKeyValue = $encryptionKey.SecretValue | ConvertFrom-SecureString -AsPlainText $decryptedText = ConvertFrom-EncryptedString -EncryptedText "<encryptedSecret>" -Key $encryptionKeyValue
What happens when the device gets deleted from the Azure/Intune
- Device backup a.k.a.
<deviceSerial>.json
file will stay intact in your backup
- Device backup a.k.a.
What happens when the device gets reinstalled?
- The device backup (JSON file) will be updated with the new information
What if I need to see what the LAPS password was set to a week ago (I restored the device from the backup, or for any other reason)
Use the
History
tab in the DevOps portal to show the previous device backup versions
Conclusion
With this Azure DevOps pipeline, you can rest easy knowing your Intune device security data is safely backed up, versioned, and ready for disaster recovery or audit. Adapt the scripts to your environment, and you’ll have a powerful, hands-off backup solution for your device secrets.
Subscribe to my newsletter
Read articles from Ondrej Sebela directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Ondrej Sebela
Ondrej Sebela
I work as System Administrator for more than 15 years now and I love to make my life easier by automating work & personal stuff via PowerShell (even silly things like food recipes list generation).