BitLocker wrongfully tries to save key to Azure AD

Marcus Wahlstam 1 Reputation point
2021-03-10T16:10:12.433+00:00

Background

Complete on-prem Active Directory environment, no Azure AD present.
GPO that sets a few BitLocker policies, like it have to be able to save the key to AD DS before encrypting.
ConfigMgr 2010

Problem

We first noticed the problem when doing OSD with ConfigMgr, since in the middle of February OSD began to fail at the "Enable BitLocker" step. After a while we noticed that it worked fine with new computers or if we deleted the AD-object for the existing computer.
The strange thing is that the BitLocker-API log says it cannot save the key to Azure AD, and that is correct, since we don't have an Azure AD. But why does it try to save to Azure AD, and only for existing computers where the AD object is present?

If I manually run "manage-bde -protectors -add C: -recoverypassword" I get the same error as in the Task Sequence. (That it cannot save the key to Azure AD).

If I disable the GPO settings that enforces save to AD DS before encrypting, run "Manage-bde -protectors -add C: -recoverypassword" again so a local key is created. Then run "manage-bde -protectors c: -adbackup -id {xxxxxxxx-32F1-xxxx-xxxx-xxxx6776xxxx}", the key is saved to AD. So no permissions related error.

Then I found out what the key setting is for this wrongfully behaviour, it's the "OSRequireActiveDirectoryBackup".

If OSRequireActiveDirectoryBackup is set to 1 in the registry, BitLocker tries to save the key to Azure AD when running "Manage-bde -protectors -add C: -recoverypassword".

If OSRequireActiveDirectoryBackup is set to 0 (and RequireActiveDirectoryBackup is set to 1), BitLocker successfully saves the key to on-prem AD.

So, no problem GPO-wise, we can just disable the OSRequireActiveDirectoryBackup but in the Task Sequence in the "Enable BitLocker" step, there is no such option to set this.

But the question is: Why do BitLocker try to save the recovery key to Azure AD as soon as OSRequireActiveDirectoryBackup is set?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,837 questions
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
939 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Reza-Ameri 16,861 Reputation points
    2021-03-11T14:49:16.077+00:00

    From what you described it seems like be an bug or design issue.
    Make sure update affected device to the latest build of Windows 10 and check and see if you are able to reproduce the problem?
    If yes, then open start and search for feedback and open the Feedback Hub app and report this issue and make sure include reproduce steps and log files and all relevant documents.
    Some applications would required you to install ADFS, so just for test, if possible try uninstall it and see if problem persist?

    0 comments No comments

  2. Jason Sandys 31,186 Reputation points Microsoft Employee
    2021-03-11T22:06:08.553+00:00

    Why is this a problem?

    0 comments No comments

  3. Krupp, Matthias 1 Reputation point
    2022-01-07T13:41:40.317+00:00

    Why this is a problem? This question is not really serious!

    The problem is, that the TaskSequence Step 'Enable Bitlocker' is not longer working! And this is a real problem without a solution right now.

    We ran into that issue in June 2021 and we could work around it by switching the Enable Bitlocker step above to get it run only some seconds after Applying Operation System step. So it works. But if we place it later, after some more time goes by, it runs into the issue described above.
    And yes, we checked if it depends on updates or policies we use and we can say this is not the cause.

    Please, Microsoft, let us know what causes this behaviour!