Unable to save bitlocker key to Azure AD account

Question

Unable to save bitlocker key to Azure AD account

Tom Elliott 20

we have a company we manage that recently got donated a bunch of laptops, I used an ISO from the VLSC that they have to install one of these laptops and used a key inside the VLSC to ensure it was a windows 11 pro/business licenced device, I joined the laptop to their Azure AD and the laptop shows in the Endpoint manager as compliant with intune, the problem I am facing though is I am unable to save the Bitlocker key to their Azure AD account as I keep getting the error "Can't save to your Azure AD account", after this I went digging into the event viewer and got greeted with this error message

"Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.

TraceId: {b99dc2fd-a017-45b9-975e-f766d33f7092}

Error: Unknown HResult Error code: 0x80072f8f"

Now after a few quick Google searches I feel I have tried everything recommended and still have 0 luck and am unable to backup the BitLocker key to their Azure AD, for the time being I have saved the key to a USB stick and the drive has successfully encrypted but I am stumped as to why it refuses to allow me to backup the key, we also just got a second and third machine installed with the windows ISO and the same issue occurs, The devices all have a Tpm 2.0 chip or equivalent and secure boot is enabled

Troy Nabbefeld 165 Reputation points

2023-07-18T18:08:32.01+00:00

Could you please share how you are enforcing BitLocker encryption?
Constantin Lorenz 16 Reputation points

2023-07-24T18:54:28.4266667+00:00

Can you post the output from?

tpmtool getdeviceinformation

Can you try that?

https://learn.microsoft.com/en-us/answers/questions/467673/windows-10-tpm-2-0-client-authentication-in-tls-1

Remove under Functions the following signature suites from the list and Reboot. And try it again.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003\Functions

RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512
Hrvoje Kusulja 146 Reputation points MVP

2023-07-25T10:42:51.9+00:00

Thank you, I also confirm have the same issue, after reinstalling using latest USB from Microsoft, on Windows 10.0.22621

I also confirm that removing these 3 keys resolved the issue.

Can you confirm what is this exactly? will this be fixed in future version? should we revert those registry keys back at some point etc?

thank you so much, but this is the only solution on the internet
Constantin Lorenz 16 Reputation points

2023-07-25T14:02:39.9433333+00:00

Hi

i don't know what it is. We have a opened Ticket at MS for that. It seems so that Microsoft has Problems with TPM-Spezifikationsversion: 1.16. We see that issue with SCCM, Bitlocker and Wifi :(.

Please also open a ticket for MS so they will fix that issue. You can also ask you Hardware Vendor if they have a TPM Update to Spec Version > 1.38.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

8 answers

Your answer

Troy Nabbefeld 165 Reputation points

2023-07-18T18:08:32.01+00:00

Could you please share how you are enforcing BitLocker encryption?
Constantin Lorenz 16 Reputation points

2023-07-24T18:54:28.4266667+00:00

Can you post the output from?

tpmtool getdeviceinformation

Can you try that?

https://learn.microsoft.com/en-us/answers/questions/467673/windows-10-tpm-2-0-client-authentication-in-tls-1

Remove under Functions the following signature suites from the list and Reboot. And try it again.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003\Functions

RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512
Hrvoje Kusulja 146 Reputation points MVP

2023-07-25T10:42:51.9+00:00

Thank you, I also confirm have the same issue, after reinstalling using latest USB from Microsoft, on Windows 10.0.22621

I also confirm that removing these 3 keys resolved the issue.

Can you confirm what is this exactly? will this be fixed in future version? should we revert those registry keys back at some point etc?

thank you so much, but this is the only solution on the internet
Constantin Lorenz 16 Reputation points

2023-07-25T14:02:39.9433333+00:00

Hi

i don't know what it is. We have a opened Ticket at MS for that. It seems so that Microsoft has Problems with TPM-Spezifikationsversion: 1.16. We see that issue with SCCM, Bitlocker and Wifi :(.

Please also open a ticket for MS so they will fix that issue. You can also ask you Hardware Vendor if they have a TPM Update to Spec Version > 1.38.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

Solution provided by @Constantin Lorenz worked for me:

Removing 3 lines from registrykey worked.

Problem occured unter Windows 11 Version 10.0.22621

Output from tpmtool:

tpmtool getdeviceinformation

-TPM vorhanden: Wahr
-TPM-Version: 2.0
-TPM-Hersteller-ID: IFX
-Vollstõndiger Name des TPM-Herstellers: Infineon
-TPM-Herstellerversion: 7.63.3353.0
-PPI-Version: 1.3
-Ist intialisiert: Wahr
-Zum Speichern bereit: Wahr
-F³r Nachweis bereit: Wahr
-Ist nachweisfõhig: Wahr
-Muss zum Wiederherstellen gel÷scht werden: Falsch
-L÷schen m÷glich: Wahr
 Falsch
-Bitlocker PCR7-Bindungsstatus: Gebunden
-Wartungsaufgabe abgeschlossen: Wahr
-TPM-Spezifikationsversion: 1.16
-TPM-Errata-Datum: Wednesday, September 21, 2016
-PC-Clientversion: 1.00
-Lockout-Informationen:
        -Ist gesperrt: Falsch
        -Lockout-Counter: 0
        -Max. Authentifizierungsfehler: 31
        -Lockout-Intervall: 600s
        -Lockout-Wiederherstellung: 86400s

Constantin Lorenz 16 Reputation points

2023-07-25T09:19:55.9133333+00:00

Hi
It seems so that Microsoft has Problems with TPM-Spezifikationsversion: 1.16. We see that issue with SCCM, Bitlocker and Wifi :(.

Please also open a ticket for MS so they will fix that issue. You can also ask you Hardware Vendor if they have a TPM Update to Spec Version > 1.38

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 deleted comment

Comments have been turned off. Learn more

Answer 3

Zimmermann, René 0

Did anyone ever got a solution from Microsoft on that issue?

Besides deleting those 3 registry entries.

Answer 4

Miguel Fuenteseca 0

Hi

The same thing happened to me and it was because I had SSL inspection activated in the organization's firewall.

Answer 5

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 deleted comment

Comments have been turned off. Learn more

Share via

Unable to save bitlocker key to Azure AD account

8 answers

Your answer