Synchronize Bitlocker recovery keys to local AD

Most companies are working with different IT specialist, some of them are more experienced in configuring and managing Microsoft Endpoint Managers while others are working on first line support. In this situation IT does not want to grant access towards the Microsoft Endpoint Management portal for their first line support. For example, first line support does only have read access on the local Active Directory.

But what if an end-user contacts the helpdesk and helpdesk found out that the user needs to enter their Bitlocker key. If the Bitlocker key is only stored in Microsoft Endpoint Manager, the helpdesk cannot verify the key. There is a solution for this by replicating the recovery key towards the local AD.

Another solution is that the user needs to login on a different laptop and search up his/her recovery key in his/her Microsoft account.

For this configuration it’s recommended to use the Microsoft 365 license bundle or an EMS bundle.

Configure Device Writeback

A prerequisite of this configuration is that devices needs to be Hybrid Azure AD Joined.

Follow the steps below to enable device writeback. Open your Azure AD connect server an click on Azure AD Connect logo. In the task screen click on “Configure Device options”

Click on next on the overview page:

Login with your Azure AD Global Admin Credentials:

Click on Configure device writeback:

Azure AD Connect will create a container to write back the computer objects therefor you need to select the appropriate forest and location where you want to create the container:

Login with an enterprise admin:

Review the configuration changes that AAD Connect will perform and click on Configure:

Settings in Microsoft Endpoint Manager

I have created a Configuration Profile with profile type Endpoint Protection to enable Bitlocker on the Windows 10 devices. This configuration allows that standard users can perform the Bitlocker encryption. If you not allow the feature “Allow standard users to enable encryption during Azure AD join”, the users needs to have admin privileges. Also enable the option “Save Bitlocker recovery information to Azure Active Directory”, this stores the recovery key in Azure AD. The other options can be customized based on your needs:

How does it looks like?

When you configured device writeback and the profile is successfully pushed towards your desktops through Microsoft Endpoint Manager, you can see that the recovery key is stored in Azure AD and on the on-premises computer object.

Published by jordyblommaert

My passion is the cloud

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: