question

AlanGreene-3496 avatar image
0 Votes"
AlanGreene-3496 asked SimonRenMSFT-3639 commented

Cannot backup BitLocker Keys to AAD

Hello,

I am working with a Hybrid environment. Generally in the past, after enrolling a device in intune, I have been able to backup the BitLocker key to their AAD using the GUI or powershell commands. Recently the option has stopped showing in the GUI for some users and the powershell commands return a 0x8000FFFF error. This says to me that the device may not be correctly AzureAD joined, yet the device shows up in AzureAD registered to the user. Any idea what's going on here?

Thank you.

mem-intune-general
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for posting in Microsoft intune Q&A forum.

1.May we know how did you configure the the device configuration policy of BitLocker settings? Please help check the device configuration policy device status in the Intune portal. Per my experience, to backup BitLocker Keys to AAD which requires Device to be AAD joined or in hybrid mode.

2.Please help check the Windows Event Viewer under Applications and Services log > Microsoft > Windows > BitLocker API to see if there is any error on the problematic client.

For more details about troubleshooting, please refer to: Troubleshoot BitLocker policies in Microsoft Intune

Best regards,
Simon



0 Votes 0 ·

Hi, previously the company were manually enrolling each employee into intune via company portal and registering their AD account. Recently we have set an automated group policy and hybrid folder in AD to automate the process of intune enrollment. Every device that is registered automatically cannot have their bitlocker keys backed up to AAD.

110622-bit-locker-keybackup.png110550-bit-locker-keybackup2.png


0 Votes 0 ·

Hi,

Thanks for your reply.

1,For Bitlocker Event ID 846, please review your Group Policy Object (GPO) settings for conflicts. Refer to:
Event ID 846, 778, and 851: Error 0x80072f9a

2,Also check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
Manage-bde -protectors -get %systemdrive%

If PCR validation profile shows PCR 7, 11 (Uses Secure Boot for integrity validation), the system is configured correctly.Refer to:
BitLocker check after firmware update

Best regards,
Simon


0 Votes 0 ·

0 Answers