Windows 10: Bitlocker Key Not Appearing in On-Prem Active Directory and Azure Active Directory

Hi,I have a laptop where the user has been on extended leave and has tried to log back into BitLocker. They were fine up until a few days ago, when it asked for the recovery key. When I check AD and Azure AD, there is nothing there. I know the passcode being inputted is correct, but for some reason it says No Items in the View. When I right click the domain object and search using the recovery key ID, it returned no results. When I go to Azure AD and locate the device there, it says No BitLocker recovery key found for this device.Apart from wiping the laptop, any ideas regarding how to resolve

:)

 

Windows 10 and Azure Active Directory: Embracing the Cloud

Source: http://blogs.windows.com/business/20...ing-the-cloud/

 

Bitlocker and Azure Active Directory

Hi Rob-Nicholson-Malt

My name is Sarah Kong and I am an independent adviser that is here to try and help you with your issue.

On-premise domain accounts and Azure AD accounts are 2 separate accounts that you can login with.

You can join your PC to both Onprem AD and Azure AD.

What makes the difference is which one you login in with.

For my example let's say my work\onprem account is *** Email address is removed for privacy *** and my Azure AD account is *** Email address is removed for privacy ***.

If i login with the *** Email address is removed for privacy *** then i am authenticating to my onprem servers.

If I login with the *** Email address is removed for privacy *** then i am authenticating to Azure AD.

So as for your questions when you enable bitlocker which account are you logged in with? onprem or azure AD?

And if onprem i hope you have a GPO on your DCs that says recovery key stored in Active Directory. If that is the case then you don't have to worry about saving it to the cloud and yes IT staff would retrieve the key from the computer object for the user.

If they are logging in with their Azure AD account and enabling bitlocker then same thing IT will get it from the Devices in Azure AD.

 

Bitlocker and Azure Active Directory

When setting up Bitlocker on an Azure AD connected device, you have the following options: imgur.com

A question about the exact wording of "Save to your cloud domain account". IMO that's not totally clear where it stores it. It infers, to me, that it would save it against my user domain account. However, I suspect it's saved against the device in Azure
AD as that's the only place I can see this. Is this correct?

At the moment, the laptops are set-up by IT using their own account and a key step is to save the Bitlocker key. However, when a user first logs on, we also save it there. I suspect this later step is not needed.

Supplemental question - on the page linked below (which is the link from the Bitlocker screen), it says to access your Microsoft Azure account to get the Bitlocker key:

Find your BitLocker recovery key - Microsoft Support

Can I also confirm that this misleading for normal users as the profile page that this takes you to has no information about Bitlocker:

imgur.com

And that the only way a user can retrieve their Bitlocker recovery key is to ask an admin with access to the Azure portal to look it up based upon their computer name?