Questions for HAADJ co-management with Intune

Ahmed Sh 60 Reputation points
2024-05-30T07:17:36.08+00:00

Hello,

-I have HAADJ tenant with Intune Co-Management.

-AD connect syncs devices only and not users to Entra (as users are third party provisioned and federated).

-The above means for users on upn matching for users between onpremise and cloud and this is why enrollment is done via device credentials.

-Devices appear in Azure then are added to group for Intune policy enrollment. Enrollment is done via GPO.

-They get enrolled in Intune using Co-management with SCCM, Auto MDM enrollment with device credentials and appear in Intune as co-managed.

-Bitlocker is applied via Intune on the devices to encrypt fixed data drives and operating system drives. GPO is applied to avoid backing up recovery key in AD as explained here. 

https://www.burgerhout.org/the-bitlocker-haadj-nightmare/

Question(s):

1-For testing, We encrypt and remove semantics drive encryption, Restart is done during removal then recovery key screen appears and key is requested to access device. Second Restart after uninstall, The Key is not requested.

2-After testing Recovery key is stored in Intune but not stored in the below location

https://myaccount.microsoft.com/ -> Devices -> Manage Devices -> Select devices -> View Bitlocker Keys (It appears only in test environment where enrollment is done via User credentials as opposed to device credentials)

3-Devies in Azure under the following URL Devices - Microsoft Entra admin center -> Show an owner when device is first moved with AD sync however later on owner is removed and the behavior is very random, However in Intune, Devices show a Primary user logged in as long as someone is logged in to office which is fine and acceptable. So what could be the reason for issue in Azure/Entra?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,574 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,095 questions
0 comments No comments
{count} votes

Accepted answer
  1. jamie cordeiro 65 Reputation points
    2024-05-30T09:21:17.4033333+00:00

    During BitLocker encryption removal testing, the recovery key screen appears after the first restart but not the second.
    The first restart might trigger a BitLocker pre-boot validation requiring the key. The second restart might complete the removal process, eliminating the need for the key.

    Recovery key isn't showing up in user's Microsoft account device management after Intune enrollment with device credentials.
    When enrolling with device credentials, Intune might not associate the key with a specific user due to the lack of direct user sync from AD Connect. Kynect

    Recovery keys for device credential enrollment might be stored in Intune administration console under a different section. Check the documentation for specific locations based on your Intune version.
    Device owner disappears in Azure/Entra device list after initial sync, but Intune shows the primary user correctly. Since AD Connect only syncs devices and not users, the owner information from on-premises AD might not be populating correctly in Azure AD/Entra.

    0 comments No comments

0 additional answers

Sort by: Most helpful