This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 26%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBC%3C/text%3E%3C/svg%3E)
We have a Bitlocker policy configured as shown in the image, but it's giving mixed results and I can't figure out why. For some devices the Recovery Key is stored in Azure AD + AD, while for other devices the Recovery Key is only stored in AD. The option: Require device to back up recovery information to Azure AD is enabled, all of the devices are encrypted and still 2/3 of the devices don't have a Recovery Key stored in AAD.
All devices are hybrid-joined, they all have the same autopilot profile, are in the same groups ...
Hello @Bjorn Claes
I would recommend with manual backup and setting for the Recovery Key backup to AAD.
Please check the instructions and blog in https://learn.microsoft.com/en-us/answers/questions/579227/backup-bitlocker-keys-to-azure-ad.html
Hope this helps with your query,
-------
--If the reply is helpful, please Upvote and Accept as answer--
I’ve created a script as workaround, but I don’t see it as a permanent solution. Running the script is a one-time-shot, so for example what will happen when a key rotation is triggered? Also the policy states that Bitlocker is enabled only if the key is saved in Azure AD and that’s not the case: the drive is encrypted, but the key isn’t saved in Azure AD.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
If you are using the same policy across devices but getting different results, you're probably best of logging an Intune support case.
I’ve opened a support case, so I will provide an update here once we find a solution.
The most likely cause here is that the device simply hasn't completed its HAADJ process when the recovery password is initially set (which is the only time that Windows will save the recovery password). The HAADJ process depends on a user logging into the device which is not in any way guarenteed.
Have you reviewed the BitLocker event log?
We have 3 devices, enrolled at the same time with the same user: 1 device has the recovery key in Azure AD, 2 others don't. In the Bitlocker event log of those 2 devices there is an event where the recovery key is saved in AD, but not Azure AD.
As we enabled: "Require device to back up recovery information to Azure AD", in my opinion those 2 devices shouldn't be encrypted because the key isn't saved in Azure AD.
The settings description is a bit misleading and depends on the device's join type. Windows itself makes not true to distinction between AD and AAD for the purpose of saving the recovery password on a hybrid Azure Active Directory joined device. For this type of joined device it attempts to save to both places at the time the key is set and if either succeeds, it is considered a success.
Just another, albeit smaller in this case, reason not to use Autopilot + hybrid Azure Active Directory join on newly provisioned endpoints.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 31%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETV%3C/text%3E%3C/svg%3E)
We are using the preprovisioning variant of Autopilot with Hybrid AADJ, so user sign-in is usually much later. Does this mean that bitlocker will fail in most cases as the preprovisioning is usually finished faster then Hybrid AADJ? We do see a low successrate in bitlocker encryption (with similar settings same as above)
Are you saying BitLocker encryption itself is failing or just the saving of the recovery key?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 14.000000000000002%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Thanks, this was my issue too
What would be the best way to ensure the keys, which may be rotated in the future, are backed up to both AD and AAD, please?
regards
Use a script delivered from Intune or ConfigMgr. Better yet, start using AADJ which we strongly prefer for new device provisioning.