question

MarcusWahlstam-5725 avatar image
0 Votes"
MarcusWahlstam-5725 asked ·

BitLocker wrongfully tries to save key to Azure AD

Background


Complete on-prem Active Directory environment, no Azure AD present.
GPO that sets a few BitLocker policies, like it have to be able to save the key to AD DS before encrypting.
ConfigMgr 2010


Problem


We first noticed the problem when doing OSD with ConfigMgr, since in the middle of February OSD began to fail at the "Enable BitLocker" step. After a while we noticed that it worked fine with new computers or if we deleted the AD-object for the existing computer.
The strange thing is that the BitLocker-API log says it cannot save the key to Azure AD, and that is correct, since we don't have an Azure AD. But why does it try to save to Azure AD, and only for existing computers where the AD object is present?

If I manually run "manage-bde -protectors -add C: -recoverypassword" I get the same error as in the Task Sequence. (That it cannot save the key to Azure AD).

If I disable the GPO settings that enforces save to AD DS before encrypting, run "Manage-bde -protectors -add C: -recoverypassword" again so a local key is created. Then run "manage-bde -protectors c: -adbackup -id {xxxxxxxx-32F1-xxxx-xxxx-xxxx6776xxxx}", the key is saved to AD. So no permissions related error.

Then I found out what the key setting is for this wrongfully behaviour, it's the "OSRequireActiveDirectoryBackup".

If OSRequireActiveDirectoryBackup is set to 1 in the registry, BitLocker tries to save the key to Azure AD when running "Manage-bde -protectors -add C: -recoverypassword".

If OSRequireActiveDirectoryBackup is set to 0 (and RequireActiveDirectoryBackup is set to 1), BitLocker successfully saves the key to on-prem AD.

So, no problem GPO-wise, we can just disable the OSRequireActiveDirectoryBackup but in the Task Sequence in the "Enable BitLocker" step, there is no such option to set this.

But the question is: Why do BitLocker try to save the recovery key to Azure AD as soon as OSRequireActiveDirectoryBackup is set?

windows-10-securitymem-cm-osd
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered ·

From what you described it seems like be an bug or design issue.
Make sure update affected device to the latest build of Windows 10 and check and see if you are able to reproduce the problem?
If yes, then open start and search for feedback and open the Feedback Hub app and report this issue and make sure include reproduce steps and log files and all relevant documents.
Some applications would required you to install ADFS, so just for test, if possible try uninstall it and see if problem persist?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered ·

Why is this a problem?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.