BitLocker Recovery Keys in a Hybrid AAD Joined Device
When configuring Bitlocker through an Endpoint protection policy on a hybrid joined device, the setting "Store Recovery information in Azure Active Directory before enabling BitLocker" appears to set the OSRequireActiveDirectoryBackup_Name OMA-URI, which causes the key to be backed up to the on-prem AD DS and does not store the key in Azure AD.
The verbiage of this setting should be changed to reflect what it actually does, ideally it would back the key up to both locations for a hybrid joined device.
Kartikay Sharma commented
Starting Windows 10 v1903 the keys are now backed up to On-Prem AD and to Azure AD on Hybrid Joined machines provided the machine has line of sight to On-Prem DCs and Internet connectivity to reach Azure AD for backing up keys.
There's a ton on comments on this so I just wanted to say.... I agree that it needs to be fixed but I've been able to work around it by deploying a script that sends the keys to AAD.
Bitlocker control panel applet. Should also work with manage-bde -protectors but haven't tested at this point - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors#syntax
"Manual backup to AAD as admin user succeeds" - Hmm, how did you achieve that?
We have the same issue, Intune silent encryption succeeds as standard user, backup of recovery key to AD succeeds, but fails to AAD. Manual backup to AAD as admin user succeeds.
Paul Seifert commented
Same experience on our site. Is this a well known bug or do we have a bug in our configuration?
I have the same experience. All keys will be written to AD where you expect this to be in AzureAD (or both)
Checkout this new Modern MDM tool we are using, they allow you capture bitlocker and TPM information from single or all machines. They also have bitlocker rotation policy based on client settings you put in place.
Darin Perusich commented
We are finding that the backing up the BitLocker recovery keys to AzureAD fails for about 25% of our hybrid joined device. We can see that the recovery keys are backed up to on-premise Active Directory, the action is logged in BitLocker-API, however there are no log entries in the log for the AzureAD backup. We've worked around this bug/issue with a PowerShell script that's assigned to ALL devices via Intune, but this is clearly not working as documented.
I did open a support request with Intune support, but in the end they were not able to determine the cause of this bug, recommended the PowerShell script workaround, and said they did not have the resources to troubleshoot further and we'd have to open a case with Intune Premium support and to add a suggestion on this channel.
Please address this bug/issue and make the backing up of BitLocker Recovery Keys to AzureAD stable and reliable.
Gareth Davidson commented
We also have this issue. AS per Peter Hake screen shot's.
Even though there is a COnfiguration policy pushed by Intune, Drives are not automatically encrypted as expected.
How did you get it working for Win10 1903?
I have a test group of computers and they successfully show up as Hybrid AAD Joined, but when I try to enable Bitlocker on those devices and "Save to your cloud domain account" I get a dialog box: BitLocker Drive Encryption error "Can't save to your cloud domain account".
It seems to be working on W10 1903. Co-managed machines back up the recover password to AAD and it is also visible from Intune recovery key.
However, a fix is needed for W10 1809
@Nick Hogarth - this doesn’t work for me. I see my W10 1903, but no keys
Nick Hogarth commented
If you have a device configuration profile assigned to the device to require bitlocker, the keys are stored for Hybrid in Intune > Devices > All Devices > select the devie > Recovery keys
This is on W10 1903.
This is not working for our deployment .
The only workaround we have found is to go to the end user's machine, open Bitlocker Management and select the save recovery code to cloud account option.
The recovery code then shows under the devices in Azure AD.
Michael M. commented
I can confirm that (now) the bitlocker key does backup to Azure AD for Hybrid machines but the user can't do a self-service checkout of this recovery key as it doesn't show their hybrid machine under their account in Azure.
The key can be fetched by a tech who has access to Azure. But greater consistency between Hybrid and Azure machines would be appreciated as the general user won't know how their machine is connected, and so won't know if they should see their machine for self service recovery or if they have to contact the help desk.
Any solution for this issue?
Where in the AAD console are you seeing the recovery key?
Hello, I have tested this feature today, and it's working! When I enable EndPoint Protection Policy (Window Encryption) in Intune, and assign to group with AAD Hybrid Join devices it's applying correctly! And I can see Bitlocker recovery key in AAD Hybrid join device (from AAD console) and in AD computer object! (same key, of course). I cannot see recovery key in "Recovery keys" option from Intune (I think because in AAD, AAD Hybrid join device have no assigned user).