Background
Complete on-prem Active Directory environment, no Azure AD present.
GPO that sets a few BitLocker policies, like it have to be able to save the key to AD DS before encrypting.
ConfigMgr 2010
Problem
We first noticed the problem when doing OSD with ConfigMgr, since in the middle of February OSD began to fail at the "Enable BitLocker" step. After a while we noticed that it worked fine with new computers or if we deleted the AD-object for the existing computer.
The strange thing is that the BitLocker-API log says it cannot save the key to Azure AD, and that is correct, since we don't have an Azure AD. But why does it try to save to Azure AD, and only for existing computers where the AD object is present?
If I manually run "manage-bde -protectors -add C: -recoverypassword" I get the same error as in the Task Sequence. (That it cannot save the key to Azure AD).
If I disable the GPO settings that enforces save to AD DS before encrypting, run "Manage-bde -protectors -add C: -recoverypassword" again so a local key is created. Then run "manage-bde -protectors c: -adbackup -id {xxxxxxxx-32F1-xxxx-xxxx-xxxx6776xxxx}", the key is saved to AD. So no permissions related error.
Then I found out what the key setting is for this wrongfully behaviour, it's the "OSRequireActiveDirectoryBackup".
If OSRequireActiveDirectoryBackup is set to 1 in the registry, BitLocker tries to save the key to Azure AD when running "Manage-bde -protectors -add C: -recoverypassword".
If OSRequireActiveDirectoryBackup is set to 0 (and RequireActiveDirectoryBackup is set to 1), BitLocker successfully saves the key to on-prem AD.
So, no problem GPO-wise, we can just disable the OSRequireActiveDirectoryBackup but in the Task Sequence in the "Enable BitLocker" step, there is no such option to set this.
But the question is: Why do BitLocker try to save the recovery key to Azure AD as soon as OSRequireActiveDirectoryBackup is set?