You should probably open a support case here to explore the full details, however, here are a few comments:
- Intune is not responsible for saving the recovery key to AD or AAD, that's Windows job. Intune simply sets a policy to tell Windows to do it.
- Intune does not store the recovery key, that's done in AD or AAD depending on the join type.
- Adding a work account to a Windows endpoint results in an AAD registration (aka Workplace join) and is intended to be a BYOD scenario and not one for use on corporate/enterprise owned endpoints. You should strongly consider hybrid Azure AD joining or (full) Azure AD joining these endpoints instead of using AAD registration.