This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 94%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
What happens to the machines that have MDM, Bitlocker on the machines?
They currently sign in with their 365 accounts to their machines. They are azure joined, but also joined to their local domain.
We need to change machines from azure ad joined to azure ad registered because we are federating their domain/sign in to a different domain/hosted on-prem solution. Basically, instead of syncing their user accounts from their local domain to the 365 tenant, their accounts will be syncing from a new/different domain with ADFS federating their sign-ins.
Will that break their bit-locker and MDM?
If their machines are also domain-joined (local domain controllers), will they still be able to sign in with their local ad accounts to their machines to get in? Since they will be ad registered now, i know they wont be signing in with the same password as the 365 account any longer (cause hybrid/pass hash is gone), but would they use the local domain account to sign in? or would it need to be un-joined/re-joined to the domain? or would it just mean signing in to a different profile?
@Josh Lynch
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Josh Lynch , Thanks for posting in Q&A.
From your description, it seems you want to disjoin the device from Azure AD and then register to Azure AD. If so, I think the device needs to unenroll from Intune. Then enroll again. When we do this, the device ID will be changed. So the device will be different.
In fact, when profile is removed from the device, some CSPs remove the setting and some CSPs keep the setting, also called tattooing. Based as I know, BtLocker setting will not remove from the device. Here are some articles for the reference.
https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#what-happens-when-a-profile-is-deleted-or-no-longer-applicable
https://www.anoopcnair.com/intune-policy-tattooed-not-tattooed-windows-csp/
Note: non-Microsoft link, just for the reference.
Meanwhile, for Azure AD registered device, based on my research and test, you will use local account to login. Only Azure AD joined device can use Azure AD account to login. For Hybrid Azure AD join device, we will use domain account to login. You can see more details in the following link:
Azure AD registered devices
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
Azure AD joined devices
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
Hybrid Azure AD joined devices
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid
For the AD account login, I think this depends on if the device is still domain joined. If yes, I think the previous domain user profile is still there. And the device can be login using AD domain account. I think "azure-ad-hybrid-identity" support or ADFS support may give more help on this question.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Crystal,
Thank you so much for the thoughtful reply.
Let me clarify.
Hybrid will be removed/disabled.
Azure AD Connect will be disabled.
We may be introducing ADFS federation to sign in.
By "Based as I know, BtLocker setting will not remove from the device."
So, by changing from azure ad join to register, and loggin in as local ad account instead (domain joined), we don't need to remove bitlocker from the machines first, and then re-encrypt?
Especially if adding ADFS federation, what would the process be for ADFS being added for authentication?
Really concerned about bitlocker since we are not familiar with it and changing authentication path.
@Josh Lynch , In General, BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. Here is a link with more details:
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
That is to say, when we unenroll from Intune and unjoin from AAD, the Bitlocker encrption is still on drive. As a reminder, please ensure the Bitlocker recovery key is backuped to avoicd any issue. But if you want to the bitlocker policy to applied again on the device when it enroll again, I think you need to disable bitlocker encrpton before we re-enroll the device into Intune. Because if devices are already encrypted with BitLocker, your policies deployed by Intune will not change the existing encryption
For Bitlocker with ADFS, I didn't find any link with this. So I think they are not related. To double confirm this, you can contact windows and ADFS support. I notice both tags are added. you can wait to see if any more help will be provided. You can also open a new thread to add the two tags to find the support.
Thanks for your understanding.
Hello @Josh Lynch ,
Referring to the question you posted, PFB answer inline.
So, by changing from azure ad join to register, and login in as local ad account instead (domain joined), we don't need to remove bitlocker from the machines first, and then re-encrypt?
Let me know if you have any queries in the comments section.
Thanks,
Akshay Kaushik
Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.