![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 60%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHG%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello HK G,
Thank you for your question and for reaching out with your question today.
If you are seeing BitLocker recovery keys in both the Azure portal and your on-premises Active Directory (AD), it's likely because of the integration between Azure Active Directory (Azure AD) and on-premises AD using Azure AD Connect.
When you use Intune to enforce BitLocker encryption on client devices, the recovery keys are stored in Azure AD. Azure AD Connect is a tool that synchronizes user accounts and device information between on-premises AD and Azure AD. As part of this synchronization, the BitLocker recovery keys from Azure AD can also be synchronized to the on-premises AD.
By default, Azure AD Connect syncs several attributes, including BitLocker recovery information, from Azure AD to the on-premises AD. This synchronization helps maintain a consistent and centralized view of user and device information across both environments.
The synchronization of BitLocker recovery keys to the on-premises AD allows organizations to have a backup and recovery option in case of any issues with Azure AD or when accessing the on-premises environment is necessary. It provides an additional layer of redundancy and ensures that the recovery keys are available locally in your on-premises infrastructure.
It's important to note that the synchronization of BitLocker recovery keys is a default behavior of Azure AD Connect. If you don't want the recovery keys to be synchronized to your on-premises AD, you can modify the synchronization rules in Azure AD Connect to exclude certain attributes from being synchronized.
In summary, the presence of BitLocker recovery keys in both Azure AD and your on-premises AD is a result of the synchronization process facilitated by Azure AD Connect, providing redundancy and backup options for recovery key management.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.