Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,406 questions
Cannot backup BitLocker Keys to AAD
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Alan Greene
1
Reputation point
Hello,
I am working with a Hybrid environment. Generally in the past, after enrolling a device in intune, I have been able to backup the BitLocker key to their AAD using the GUI or powershell commands. Recently the option has stopped showing in the GUI for some users and the powershell commands return a 0x8000FFFF error. This says to me that the device may not be correctly AzureAD joined, yet the device shows up in AzureAD registered to the user. Any idea what's going on here?
Thank you.
{count} votes
-
Simon Ren-MSFT 30,506 Reputation points Microsoft Vendor2021-06-28T02:53:52.857+00:00 Hi,
Thanks for posting in Microsoft intune Q&A forum.
1.May we know how did you configure the the device configuration policy of BitLocker settings? Please help check the device configuration policy device status in the Intune portal. Per my experience, to backup BitLocker Keys to AAD which requires Device to be AAD joined or in hybrid mode.
2.Please help check the Windows Event Viewer under Applications and Services log > Microsoft > Windows > BitLocker API to see if there is any error on the problematic client.
For more details about troubleshooting, please refer to: Troubleshoot BitLocker policies in Microsoft Intune
Best regards,
Simon -
Alan Greene 1 Reputation point
2021-06-30T09:48:49.493+00:00 Hi, previously the company were manually enrolling each employee into intune via company portal and registering their AD account. Recently we have set an automated group policy and hybrid folder in AD to automate the process of intune enrollment. Every device that is registered automatically cannot have their bitlocker keys backed up to AAD.
-
Simon Ren-MSFT 30,506 Reputation points Microsoft Vendor
2021-07-01T08:27:59.317+00:00 Hi,
Thanks for your reply.
1,For Bitlocker Event ID 846, please review your Group Policy Object (GPO) settings for conflicts. Refer to:
Event ID 846, 778, and 851: Error 0x80072f9a2,Also check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
Manage-bde -protectors -get %systemdrive%If PCR validation profile shows PCR 7, 11 (Uses Secure Boot for integrity validation), the system is configured correctly.Refer to:
BitLocker check after firmware updateBest regards,
Simon
Sign in to comment