I'm trying to understand how Bitlocker keys are appearing in Entra ID in our hybrid setup, where we have on-prem AD and devices that are domain joined and hybrid joined to Entra and Intune. We have a group policy that enforces the backup of Bitlocker keys to on-prem AD, and that has always worked fine. However, I've noticed that the keys are also showing up in Entra ID without running any specific scripts or policies to push them there. My understanding was that keys could only be stored in one location, depending on whether GPO or Intune policy was used. Can anyone explain if there's a new feature that allows this automatic backup, or should I be looking for a process that's transferring these keys to Entra? Just to clarify, we have PCs encrypting with Bitlocker and storing keys in AD before hybrid joining to Entra. Thanks!
3 Answers
Have you looked at the attributes checked in Entra Connect sync? It's worth verifying because there might be settings that allow for the keys to sync back to Azure. But as far as I know, it's not officially supported by Entra Connect sync for Bitlocker keys to automatically back up to both locations.
Have you checked for any Intune Policies that might have 'Require device to back up recovery information to Azure AD = Yes'? That could explain why the keys are in both places. Also, it's possible for keys to rotate when the BIOS gets updated, which could trigger them to be pushed to both Entra and AD.
So you're saying that if the BIOS is updated on a hybrid joined PC, the Bitlocker key could rotate and automatically get sent to both Entra and AD? That definitely sounds possible!
You might have an Intune policy running that you’re not aware of or perhaps a rogue PowerShell script is backing up the keys. It's worth checking your Intune settings just in case. Some organizations can have unexpected settings in place that automatically manage Bitlocker keys without the admin realizing it.
That’s what I was worrying about too, but we’re on Business Premium, so remediation scripts aren’t even an option for us!
I thought that too! But if this feature isn’t supported by Entra Connect sync, then it raises more questions about how these keys managed to appear in Entra without any direct intervention.