I'm trying to understand how BitLocker keys are managed in a hybrid environment with on-prem Active Directory and Entra ID Connect. We have all PCs domain-joined, and they're also automatically hybrid-joined to Entra and Intune. Our group policy has been set up for a while to back up BitLocker keys to on-prem AD, which has been working fine. However, I've recently noticed that the keys are also showing up in Entra ID. My assumption was that having keys in both locations wasn't possible by default—it typically goes to either AD or Entra based on whether you're using group policy or Intune for BitLocker enforcement. To store the keys in both places, one typically needs to use an Intune remediation script to push them. Yet, we're not running any scripts that would do this, and some newer PCs already have their keys in Entra ID. Is there a new feature that allows hybrid joined devices with keys in AD to automatically back up to Entra, or is there a hidden process I need to investigate that is pushing these keys up? Just to clarify, our setup involves PCs being domain joined with GPO enforcing BitLocker, which doesn't start unless keys are stored in AD, and upon first user login, the PCs are registered to that user in Intune.
3 Answers
It sounds like you might have an Intune policy running that requires devices to back up recovery information to Azure AD. Check if any policies are applied that you might have overlooked. It’s also possible you have some rogue PowerShell script running that’s doing this. Just a thought!
Have you checked if the attribute for key synchronization is enabled in your Entra Connect sync? It’s worth a look, though I thought this feature wasn’t supported by Entra Connect sync either.
I had the same question! I believe some attributes might not sync automatically, so it’s good to verify this.
Have you checked your Intune policies? Look for an option that says 'Require device to back up recovery information to Azure AD'. Also, it might be worth considering if keys are being updated during BIOS updates, as sometimes a key rotation can push them to both Entra and Active Directory.
So are you suggesting that updating the BIOS on a hybrid joined PC could actually cause a key rotation that would push keys to both Entra and AD? That’s interesting!
That's what I was thinking, but with everything on Business Premium, remediation scripts aren't supported here, which makes it puzzling!