Hello @Josh Lynch ,
Referring to the question you posted, PFB answer inline.
So, by changing from azure ad join to register, and login in as local ad account instead (domain joined), we don't need to remove bitlocker from the machines first, and then re-encrypt?
- Once device Join type is changed from AAD join to register the device identity will be changed in Azure AD. Before proceeding further, you would be required to back-up the recovery key and save it in Azure AD. Once device is registered again, it must be readded to the group to which required policies could be applied.
- If you use ADFS, you IDP will be on-prem, i.e., anytime your device OOS of your DC your login might fail as authentication request would not reach the endpoint, so having a VPN would help staying in line of sight to your DC.
Let me know if you have any queries in the comments section.
Thanks,
Akshay Kaushik
Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.