question

BjornClaes-1550 avatar image
0 Votes"
BjornClaes-1550 asked Jason-MSFT commented

Bitlocker recovery keys hybrid-joined devices

We have a Bitlocker policy configured as shown in the image, but it's giving mixed results and I can't figure out why. For some devices the Recovery Key is stored in Azure AD + AD, while for other devices the Recovery Key is only stored in AD. The option: Require device to back up recovery information to Azure AD is enabled, all of the devices are encrypted and still 2/3 of the devices don't have a Recovery Key stored in AAD.
All devices are hybrid-joined, they all have the same autopilot profile, are in the same groups ...
154863-bitlocker.png


windows-10-setupmem-intune-device-configurations
bitlocker.png (67.3 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered BjornClaes-1550 commented

Hello @BjornClaes-1550

I would recommend with manual backup and setting for the Recovery Key backup to AAD.

Please check the instructions and blog in https://docs.microsoft.com/en-us/answers/questions/579227/backup-bitlocker-keys-to-azure-ad.html

Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BjornClaes-1550 avatar image BjornClaes-1550 ·

I’ve created a script as workaround, but I don’t see it as a permanent solution. Running the script is a one-time-shot, so for example what will happen when a key rotation is triggered? Also the policy states that Bitlocker is enabled only if the key is saved in Azure AD and that’s not the case: the drive is encrypted, but the key isn’t saved in Azure AD.

0 Votes 0 ·
NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered BjornClaes-1550 commented

If you are using the same policy across devices but getting different results, you're probably best of logging an Intune support case.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BjornClaes-1550 avatar image BjornClaes-1550 ·

I’ve opened a support case, so I will provide an update here once we find a solution.

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Jason-MSFT commented

The most likely cause here is that the device simply hasn't completed its HAADJ process when the recovery password is initially set (which is the only time that Windows will save the recovery password). The HAADJ process depends on a user logging into the device which is not in any way guarenteed.

Have you reviewed the BitLocker event log?

· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BjornClaes-1550 avatar image BjornClaes-1550 ·

We have 3 devices, enrolled at the same time with the same user: 1 device has the recovery key in Azure AD, 2 others don't. In the Bitlocker event log of those 2 devices there is an event where the recovery key is saved in AD, but not Azure AD.

As we enabled: "Require device to back up recovery information to Azure AD", in my opinion those 2 devices shouldn't be encrypted because the key isn't saved in Azure AD.

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT BjornClaes-1550 ·

The settings description is a bit misleading and depends on the device's join type. Windows itself makes not true to distinction between AD and AAD for the purpose of saving the recovery password on a hybrid Azure Active Directory joined device. For this type of joined device it attempts to save to both places at the time the key is set and if either succeeds, it is considered a success.

Just another, albeit smaller in this case, reason not to use Autopilot + hybrid Azure Active Directory join on newly provisioned endpoints.

0 Votes 0 ·
TimVermeiren-5876 avatar image TimVermeiren-5876 Jason-MSFT ·

We are using the preprovisioning variant of Autopilot with Hybrid AADJ, so user sign-in is usually much later. Does this mean that bitlocker will fail in most cases as the preprovisioning is usually finished faster then Hybrid AADJ? We do see a low successrate in bitlocker encryption (with similar settings same as above)

0 Votes 0 ·
Show more comments
JamesField-0682 avatar image JamesField-0682 Jason-MSFT ·

Thanks, this was my issue too
What would be the best way to ensure the keys, which may be rotated in the future, are backed up to both AD and AAD, please?

regards

0 Votes 0 ·
Show more comments