Share via


Bitlocker Recovery Keys on Hybrid Azure AD Joined

Question

Thursday, September 20, 2018 8:01 AM

Hi there,

Sorry if this is in the incorrect forum.  We have workstations in our environment that are on-premise domain joined and also registered (not joined to) the Azure AD.  This scenario is known as Hybrid Azure AD joined.  With Bitlocker enabled and functioning, can we only store the recovery keys in the on-premise AD and Not in Azure?  This appears to be the case from what I have read but is not clearly defined!

We would like self-service for our users and don't really want to go down the MBAM route.  Any help/information is appreciated.

Thanks

Hazza

All replies (4)

Friday, September 21, 2018 6:55 AM

Hi Hazza,

About your demand:

“store the recovery keys in the on-premise AD and Not in Azure”

I need to say that it is just a default behavior, what you want is a common phenomenon, don’t need to do specialized configurations.

Look at these cases below:

BitLocker Recovery Keys in a Hybrid AAD Joined Device

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34015732-bitlocker-recovery-keys-in-a-hybrid-aad-joined-dev

Azure Active Directory and BitLocker

https://www.reddit.com/r/AZURE/comments/8imez6/azure_active_directory_and_bitlocker/

Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Regards

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


Thursday, January 31, 2019 12:45 PM

Hello,

The user voice shared by Teemo Tang is right, the setting "Store Recovery information in Azure Active Directory before enabling BitLocker" appears to set the OSRequireActiveDirectoryBackup_Name OMA-URI, which causes the key to be backed up to the on-prem AD DS and does not store the key in Azure AD.

So Azure AD devices store their recovery key in Azure AD (and myapps) but Hybrid AAD devices store their recovery key in ADDS, this is how it should work.

The thing is the Bitlocker recovery key is neither stored in ADDS! The device event viewer says the recovery key was successfully backed up in ADDS (event 784 / Bitlocker-API Management) but I can't find any recovery key in the of Bitlocker Recovery tab of the computer object.

Twitter: @MatAitAzzouzene | Linkedin: Mathieu Ait Azzouzene


Thursday, March 7, 2019 12:28 AM

We have the same problem with hybrid systems.  Sometimes the bitlocker key is not stored in our on-premise AD but it is stored in Azure AD, even though we have the GPO to wait until the key is stored before encrypting.  We only have the option to "Save to your cloud domain account" now so we can't save to on-premise AD manually.  Maybe there's a powershell command to force local AD?

Thanks,

Russell


Wednesday, April 3, 2019 6:45 PM

Hello Everyone ,

Any update on this !! We are facing the same issue , we are using Hybrid azure Ad join Autopilot deployment method to setup win 10 devices and have deployed bitlocker policy via Intune , what is happening is drive is encrypted and key not stored in Azure AD, after troubleshooting found event logs stated failed to store key to Active directory we want the key to be stored in Azure AD for Self service

I also tried to deploying script to save bitlocker key to azure AD , but no luck its throwing catatrosphic error ,, but when we manually try to save key to cloud from bitlocker wizard its working

Regards,

Kalaivani