Microsoft Intune backing up Bitlocker key to the wrong school/work account.

Question

Hello,

Currently I am deploying Microsoft Intune within a company.
To test out certain aspects of bitlocker as to not run into unrecoverable problems, i tried to have the bitlocker keys of endpoints backup to Intune as well as Azure.

Yet a strange occurance happened.

On my own laptop, which already had a school account present.

I connected my work account to Windows 10, setup the company portal of the company for use and synced my device.
The policy to enforce bitlocker came through and the encryption works as supposed to be.
But there was no bitlocker key present in Azure nor Intune.

Yet when I ask the key to be backed-up to my azure account, it backs-up the key to my school account.
This is rather strange.

After removing my school account (while the encryption was still running) and asking Windows to backup my key, it said it couldn't connect to the storage place anymore. (hence my conclusion that it backedup to my school account).

How can i make sure that other employees within the company get their bitlocker key backedup to our Azure environment and not to a potential other school/work account?
If at all possible without removing their other work/school accounts.

With kind regards

Answer 1

You should probably open a support case here to explore the full details, however, here are a few comments:

• Intune is not responsible for saving the recovery key to AD or AAD, that's Windows job. Intune simply sets a policy to tell Windows to do it.
• Intune does not store the recovery key, that's done in AD or AAD depending on the join type.
• Adding a work account to a Windows endpoint results in an AAD registration (aka Workplace join) and is intended to be a BYOD scenario and not one for use on corporate/enterprise owned endpoints. You should strongly consider hybrid Azure AD joining or (full) Azure AD joining these endpoints instead of using AAD registration.