Cannot backup BitLocker Keys to AAD

Question

Cannot backup BitLocker Keys to AAD

Alan Greene 1

Hello,

I am working with a Hybrid environment. Generally in the past, after enrolling a device in intune, I have been able to backup the BitLocker key to their AAD using the GUI or powershell commands. Recently the option has stopped showing in the GUI for some users and the powershell commands return a 0x8000FFFF error. This says to me that the device may not be correctly AzureAD joined, yet the device shows up in AzureAD registered to the user. Any idea what's going on here?

Thank you.

Simon Ren-MSFT 15,171 Reputation points Microsoft Vendor

2021-06-28T02:53:52.857+00:00

Hi,

Thanks for posting in Microsoft intune Q&A forum.

1.May we know how did you configure the the device configuration policy of BitLocker settings? Please help check the device configuration policy device status in the Intune portal. Per my experience, to backup BitLocker Keys to AAD which requires Device to be AAD joined or in hybrid mode.

2.Please help check the Windows Event Viewer under Applications and Services log > Microsoft > Windows > BitLocker API to see if there is any error on the problematic client.

For more details about troubleshooting, please refer to: Troubleshoot BitLocker policies in Microsoft Intune

Best regards,
Simon
Alan Greene 1 Reputation point

2021-06-30T09:48:49.493+00:00

Hi, previously the company were manually enrolling each employee into intune via company portal and registering their AD account. Recently we have set an automated group policy and hybrid folder in AD to automate the process of intune enrollment. Every device that is registered automatically cannot have their bitlocker keys backed up to AAD.
Simon Ren-MSFT 15,171 Reputation points Microsoft Vendor

2021-07-01T08:27:59.317+00:00

Hi,

Thanks for your reply.

1,For Bitlocker Event ID 846, please review your Group Policy Object (GPO) settings for conflicts. Refer to:
Event ID 846, 778, and 851: Error 0x80072f9a

2,Also check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
Manage-bde -protectors -get %systemdrive%

If PCR validation profile shows PCR 7, 11 (Uses Secure Boot for integrity validation), the system is configured correctly.Refer to:
BitLocker check after firmware update

Best regards,
Simon

Simon Ren-MSFT 15,171 Reputation points Microsoft Vendor

2021-06-28T02:53:52.857+00:00

Hi,

Thanks for posting in Microsoft intune Q&A forum.

1.May we know how did you configure the the device configuration policy of BitLocker settings? Please help check the device configuration policy device status in the Intune portal. Per my experience, to backup BitLocker Keys to AAD which requires Device to be AAD joined or in hybrid mode.

2.Please help check the Windows Event Viewer under Applications and Services log > Microsoft > Windows > BitLocker API to see if there is any error on the problematic client.

For more details about troubleshooting, please refer to: Troubleshoot BitLocker policies in Microsoft Intune

Best regards,
Simon
Alan Greene 1 Reputation point

2021-06-30T09:48:49.493+00:00

Hi, previously the company were manually enrolling each employee into intune via company portal and registering their AD account. Recently we have set an automated group policy and hybrid folder in AD to automate the process of intune enrollment. Every device that is registered automatically cannot have their bitlocker keys backed up to AAD.
Simon Ren-MSFT 15,171 Reputation points Microsoft Vendor

2021-07-01T08:27:59.317+00:00

Hi,

Thanks for your reply.

1,For Bitlocker Event ID 846, please review your Group Policy Object (GPO) settings for conflicts. Refer to:
Event ID 846, 778, and 851: Error 0x80072f9a

2,Also check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
Manage-bde -protectors -get %systemdrive%

If PCR validation profile shows PCR 7, 11 (Uses Secure Boot for integrity validation), the system is configured correctly.Refer to:
BitLocker check after firmware update

Best regards,
Simon

Cannot backup BitLocker Keys to AAD

Activity