BitLocker recovery Key in Azure AD is not same with On-Premise AD

Question

BitLocker recovery Key in Azure AD is not same with On-Premise AD

Nurfajrina Naserudin 26

Hi,

We have a device that currently Hybrid azure ad join and co-managed with MECM. It is successfully encrypted with BitLocker policy. However, we found out the BitLocker recovery key in Azure AD is not the same as the one save in On-Premise AD.

Do help if anyone encounter this issue.

TQ.

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2022-09-15T14:17:56.253+00:00
Hello @Nurfajrina Naserudin ,

Thanks for posting your query. There could be multiple reasons for different keys being saved for BitLocker recovery in On-Prem AD and Azure AD. PFB some of the generic cause:

Encryption did not complete in single attempt:

The encryption Key is generated before drive encryption begins. If a device encryption was attempted while in was on-prem but did not complete the key would have been saved in DC > computer object.

Next time encryption was triggered, post device getting hybrid AD joined the device the encryption key would have been saved in Azure AD assuming bitlocker policy would have been applied via SCCM or Intune and recovery key is set to be saved in Azure AD.

The device was decrypted

The device could have been decrypted (by turning off or suspending bit locker)

The next time encryption happened a new Key got saved in Azure AD as per Intune policy.

Key Rotation being enabled

If key rotation policy is enabled then a new recovery key will be generated every time the existing one is used to recover the device. This is most common case when BIOS update triggers.

Also, the keys are supposed to be uploaded in on-prem device object until device is on-prem joined or bit locker is policy is not applied to save keys in AAD. Once policy to save key in AAD is applied (via Intune) all the keys should be saved in AAD only. PFB screenshot for ref setting:

Thanks,
Akshay Kaushik

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2022-09-20T04:56:37.71+00:00

Hello @Nurfajrina Naserudin ,

Hope you got a chance to review the answer suggested below. Please do let me know if you have any further queries in the comment section. If not, then
please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Akshay Kaushik
Nurfajrina Naserudin 26 Reputation points

2022-09-22T06:43:06.537+00:00

Hi Akshay Kaushik,

For this issue we configure the policy so that the key is saved in both Azure AD and On-premise AD. In this case we notice the problem because the device is locked and the key from Azure AD is not working while the key in On-premise AD worked on that device.

Based on your explanation once the device is Hybrid the latest key should be uploaded to Azure AD. However, it seem like the situation is different in our case. Do help to advise if there anything we miss out anything in this.

If there a lot of device behavior is like his then we would have issues. Because there some device encrypted and we couldn't find the key in Azure AD also and need to format it.

Thank you.
Nurfajrina Naserudin 26 Reputation points

2022-09-22T09:36:00.587+00:00

Hi Akshay,

The current setting is based on the customer preference so there no chance of making the key only available in Azure AD. We already have the manual upload script and implement it but it is hard to detect which device does not have their Key uploaded yet and need to check one by one.

Thank you.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2022-10-03T09:10:39.453+00:00

Hello @Nurfajrina Naserudin ,

This makes the configuration in conflicting state, as same key could not back-up in two different locations and there will be always a conflict. Either of the location has to be selected and conflicting policy (of saving keys in diff location from diff source must be removed).

Thanks,
Akshay Kaushik
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2022-10-06T11:17:37.78+00:00

Hello @Nurfajrina Naserudin ,

Hope you got a chance to review the comment above. lease do let me know if you have any further queries.

Else
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Accepted answer

0 additional answers

Your answer

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2022-09-15T14:17:56.253+00:00

Hello @Nurfajrina Naserudin ,

Thanks for posting your query. There could be multiple reasons for different keys being saved for BitLocker recovery in On-Prem AD and Azure AD. PFB some of the generic cause:

Encryption did not complete in single attempt:

The encryption Key is generated before drive encryption begins. If a device encryption was attempted while in was on-prem but did not complete the key would have been saved in DC > computer object.

Next time encryption was triggered, post device getting hybrid AD joined the device the encryption key would have been saved in Azure AD assuming bitlocker policy would have been applied via SCCM or Intune and recovery key is set to be saved in Azure AD.

The device was decrypted

The device could have been decrypted (by turning off or suspending bit locker)

The next time encryption happened a new Key got saved in Azure AD as per Intune policy.

Key Rotation being enabled

If key rotation policy is enabled then a new recovery key will be generated every time the existing one is used to recover the device. This is most common case when BIOS update triggers.

Also, the keys are supposed to be uploaded in on-prem device object until device is on-prem joined or bit locker is policy is not applied to save keys in AAD. Once policy to save key in AAD is applied (via Intune) all the keys should be saved in AAD only. PFB screenshot for ref setting:

Thanks,
Akshay Kaushik

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2022-09-20T04:56:37.71+00:00

Hello @Nurfajrina Naserudin ,

Hope you got a chance to review the answer suggested below. Please do let me know if you have any further queries in the comment section. If not, then
please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Akshay Kaushik
Nurfajrina Naserudin 26 Reputation points

2022-09-22T06:43:06.537+00:00

Hi Akshay Kaushik,

For this issue we configure the policy so that the key is saved in both Azure AD and On-premise AD. In this case we notice the problem because the device is locked and the key from Azure AD is not working while the key in On-premise AD worked on that device.

Based on your explanation once the device is Hybrid the latest key should be uploaded to Azure AD. However, it seem like the situation is different in our case. Do help to advise if there anything we miss out anything in this.

If there a lot of device behavior is like his then we would have issues. Because there some device encrypted and we couldn't find the key in Azure AD also and need to format it.

Thank you.
Nurfajrina Naserudin 26 Reputation points

2022-09-22T09:36:00.587+00:00

Hi Akshay,

The current setting is based on the customer preference so there no chance of making the key only available in Azure AD. We already have the manual upload script and implement it but it is hard to detect which device does not have their Key uploaded yet and need to check one by one.

Thank you.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2022-10-03T09:10:39.453+00:00

Hello @Nurfajrina Naserudin ,

This makes the configuration in conflicting state, as same key could not back-up in two different locations and there will be always a conflict. Either of the location has to be selected and conflicting policy (of saving keys in diff location from diff source must be removed).

Thanks,
Akshay Kaushik
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2022-10-06T11:17:37.78+00:00

Hello @Nurfajrina Naserudin ,

Hope you got a chance to review the comment above. lease do let me know if you have any further queries.

Else
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 1

Akshay-MSFT 17,961 Microsoft Employee Moderator

Hello @Nurfajrina Naserudin ,

Thanks for your response. Considering your infra please follow the given steps to have all keys in Azure AD only :

Use PowerShell to upload all recovery keys to Azure- AD. Deploy the PowerShell script to devices in patches via Intune.
// This will upload the latest keys to Azure AD
Ref Example: https://learn.microsoft.com/en-us/powershell/module/bitlocker/backuptoaad-bitlockerkeyprotector?view=windowsserver2022-ps#examples
Use only Intune Bit-locker policy and remove GPO from the devices. // This will make devices to follow only 1 policy avoiding the conflict.

Thanks,
Akshay Kaushik

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Abhinav Bajpai 0 Reputation points

2024-10-09T12:38:31.4933333+00:00
Hi @Akshay-MSFT
The new BitLocker policy options unde Endpoint Security Node does not have the option "save bitlocker recovery information to microsoft entra id"

Instead it has these policies:

Configure storage of BitLocker recovery information to AD DS:

Do not enable BitLocker until recovery information is stored to AD DS for operating system drives

Save BitLocker recovery information to AD DS for operating system drives

Does this mean, its now mandatory to save BL info in on-prem AD (in addition to Azure AD)?

For HAADJ devices, how can I ensure that devices only backup keys to AAD and not on on-prem AD?

Share via

BitLocker recovery Key in Azure AD is not same with On-Premise AD

0 additional answers

Your answer