BitLocker Recovery Keys in a Hybrid AAD Joined Device
When configuring Bitlocker through an Endpoint protection policy on a hybrid joined device, the setting "Store Recovery information in Azure Active Directory before enabling BitLocker" appears to set the OSRequireActiveDirectoryBackup_Name OMA-URI, which causes the key to be backed up to the on-prem AD DS and does not store the key in Azure AD.
The verbiage of this setting should be changed to reflect what it actually does, ideally it would back the key up to both locations for a hybrid joined device.
How did you get it working for Win10 1903?
I have a test group of computers and they successfully show up as Hybrid AAD Joined, but when I try to enable Bitlocker on those devices and "Save to your cloud domain account" I get a dialog box: BitLocker Drive Encryption error "Can't save to your cloud domain account".
It seems to be working on W10 1903. Co-managed machines back up the recover password to AAD and it is also visible from Intune recovery key.
However, a fix is needed for W10 1809
@Nick Hogarth - this doesn’t work for me. I see my W10 1903, but no keys
Nick Hogarth commented
If you have a device configuration profile assigned to the device to require bitlocker, the keys are stored for Hybrid in Intune > Devices > All Devices > select the devie > Recovery keys
This is on W10 1903.
This is not working for our deployment .
The only workaround we have found is to go to the end user's machine, open Bitlocker Management and select the save recovery code to cloud account option.
The recovery code then shows under the devices in Azure AD.
Michael M. commented
I can confirm that (now) the bitlocker key does backup to Azure AD for Hybrid machines but the user can't do a self-service checkout of this recovery key as it doesn't show their hybrid machine under their account in Azure.
The key can be fetched by a tech who has access to Azure. But greater consistency between Hybrid and Azure machines would be appreciated as the general user won't know how their machine is connected, and so won't know if they should see their machine for self service recovery or if they have to contact the help desk.
Any solution for this issue?
Where in the AAD console are you seeing the recovery key?
Hello, I have tested this feature today, and it's working! When I enable EndPoint Protection Policy (Window Encryption) in Intune, and assign to group with AAD Hybrid Join devices it's applying correctly! And I can see Bitlocker recovery key in AAD Hybrid join device (from AAD console) and in AD computer object! (same key, of course). I cannot see recovery key in "Recovery keys" option from Intune (I think because in AAD, AAD Hybrid join device have no assigned user).
Sean Hennessy commented
this is a must have requirement given many enterprises have on prem AD controllers
Kartikay Sharma commented
This feature has been asked to be added to Windows 10 by many enterprises and is a major requirement by most administrators who wish to use Modern management and are working to get away from On-Prem Completely while they are still hybrid.
Is there any update to having Hybrid Azure AD joined devices being able to save their Bitlocker to AAD?
Any update on this !! We are facing the same issue , we are using Hybrid azure Ad join Autopilot deployment method to setup win 10 devices and have deployed bitlocker policy via Intune , what is happening is drive is encrypted and key not stored in Azure AD, after troubleshooting found event logs stated failed to store key to Active directory we want the key to be stored in Azure AD for Self service
I also tried to deployinh script to save bitlocker key to azure AD , but no luck its throwing catatrosphic error ,, but when we manually tryt o sve key to cloud from bitlocker wizard its working
Dustin Adam commented
+1, we know that we can manually trigger the escrow using powershell, but also being a Hybrid customer deploying Hybrid AAD Joined devices we would prefer that keys get automatically escrowed to both AD and AAD.
Seriously... How can this not be fixed already?
Should we have assumed that Intune stores the recovery key in local AD, when the setting clearly states the key should be backed up to Azure AD?
Is there a language class I missed?
I'm having this issue too. Any help from Microsoft would be appreciated.
Can you please advise on this?
We are using 1809 with hybrid join and as per the problem statement, this is confusing for deployment.
The keys are stored in local AD rather than AAD or the user AAD profile.
Mathieu Aït Azzouzene commented
The only workaround I have found for now is to deploy a powershell script, the command BackupToAAD-BitlockerKeyProtector does the trick
It seems to store these only against the device for Hybrid joined devices so the self service recovery for the user is useless. It would be nice if these could move to known user of a device.