data recovery agent
Add the ability to add a Bitlocker Data Recovery Agent from internal PKI for AAD joined devices. This will provide ability for enterprise to always be able to recover/unlock the disk if the object has been removed from AAD since the recovery keys stored there get removed if/when the object is removed.
We currently use the DRA for hybrid/on-prem devices but its delivered via GPO and no way natively to do this with Intune policies. We're working on a scripted workaround to deliver the DRA via LGPO.exe but its obviously not an ideal method.