This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 97%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
Complete on-prem Active Directory environment, no Azure AD present.
GPO that sets a few BitLocker policies, like it have to be able to save the key to AD DS before encrypting.
ConfigMgr 2010
We first noticed the problem when doing OSD with ConfigMgr, since in the middle of February OSD began to fail at the "Enable BitLocker" step. After a while we noticed that it worked fine with new computers or if we deleted the AD-object for the existing computer.
The strange thing is that the BitLocker-API log says it cannot save the key to Azure AD, and that is correct, since we don't have an Azure AD. But why does it try to save to Azure AD, and only for existing computers where the AD object is present?
If I manually run "manage-bde -protectors -add C: -recoverypassword" I get the same error as in the Task Sequence. (That it cannot save the key to Azure AD).
If I disable the GPO settings that enforces save to AD DS before encrypting, run "Manage-bde -protectors -add C: -recoverypassword" again so a local key is created. Then run "manage-bde -protectors c: -adbackup -id {xxxxxxxx-32F1-xxxx-xxxx-xxxx6776xxxx}", the key is saved to AD. So no permissions related error.
Then I found out what the key setting is for this wrongfully behaviour, it's the "OSRequireActiveDirectoryBackup".
If OSRequireActiveDirectoryBackup is set to 1 in the registry, BitLocker tries to save the key to Azure AD when running "Manage-bde -protectors -add C: -recoverypassword".
If OSRequireActiveDirectoryBackup is set to 0 (and RequireActiveDirectoryBackup is set to 1), BitLocker successfully saves the key to on-prem AD.
So, no problem GPO-wise, we can just disable the OSRequireActiveDirectoryBackup but in the Task Sequence in the "Enable BitLocker" step, there is no such option to set this.
But the question is: Why do BitLocker try to save the recovery key to Azure AD as soon as OSRequireActiveDirectoryBackup is set?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
From what you described it seems like be an bug or design issue.
Make sure update affected device to the latest build of Windows 10 and check and see if you are able to reproduce the problem?
If yes, then open start and search for feedback and open the Feedback Hub app and report this issue and make sure include reproduce steps and log files and all relevant documents.
Some applications would required you to install ADFS, so just for test, if possible try uninstall it and see if problem persist?
Why is this a problem?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 76%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Why this is a problem? This question is not really serious!
The problem is, that the TaskSequence Step 'Enable Bitlocker' is not longer working! And this is a real problem without a solution right now.
We ran into that issue in June 2021 and we could work around it by switching the Enable Bitlocker step above to get it run only some seconds after Applying Operation System step. So it works. But if we place it later, after some more time goes by, it runs into the issue described above.
And yes, we checked if it depends on updates or policies we use and we can say this is not the cause.
Please, Microsoft, let us know what causes this behaviour!
I'm not sure if I mistakenly answered this or what -- given that it was almost a year ago, I have no idea.
Ultimately, without digging in here and doing some deeper troubleshooting, I can't explain your observations. My blind guess is that there's a bug in the OS version you are deploying since this is all behavior implemented and performed by Windows. Opening a support case is your best option here as if this is truly going on, only that will lead to any sort of resolution.
Hi Jason,
it's not OS dependend. We have the issue on Win10 Release 1909 and 21H2.
Also it's not Update dependend, as written above.
I can only say it's the exact behaviour written and explaind by MarcusWahlstam. And in addition what I said to timing with the step in tasksequence.
So we can work arround in TS, but not if you use it later for a client that is running a TS for enabling bitlocker.
I will try to get an answer from MS by opening a support case.