Forum Discussion
HAADJ with Intune Co-Management
Hello,
-I have HAADJ tenant with Intune Co-Management.
-AD connect syncs devices only and not users to Entra (as users are third party provisioned and federated).
-Devices appear in Azure then are added to group for Intune policy enrollment. Enrollment is done via GPO.
-They get enrolled in Intune using Co-management with SCCM, Auto MDM enrollment with device credentials and appear in Intune as co-managed.
-Bitlocker is applied via Intune on the devices to encrypt fixed data drives and operating system drives. GPO is applied to avoid backing up recovery key in AD as explained here.
Question(s):
1-For testing, We encrypt and remove semantics drive encryption, Restart is done during removal then recovery key screen appears and key is requested to access device. Second Restart after uninstall, The Key is not requested.
2-After testing Recovery key is stored in Intune but not stored in the below location
https://myaccount.microsoft.com/ -> Devices -> Manage Devices -> Select devices -> View Bitlocker Keys (It appears only in test environment where enrollment is done via User credentials as opposed to device credentials)
3-Devies in Azure under the following URL Devices - Microsoft Entra admin center -> Show an owner when device is first moved with AD sync however later on owner is removed and the behavior is very random, However in Intune, Devices show a Primary user logged in as long as someone is logged in to office which is fine and acceptable. So what could be the reason for issue in Azure/Entra?
- I'll try to answer your questions -
Q1 - The recovery key is not presented after each reboot. It will only be presented when there is change in HW or tampering with the TPM and\or settings.
Q2 - Is the recovery key not present or not visible? Do you have the BitLocker policies applied from Intune? Also, the recovery key is escrowed in Entra ID and not in Intune. The recovery key in Intune is pulled from Entra ID.
Q3 - Owner information in Entra ID should update and match the primary user in Intune. Have you tried asking the licensed Intune user to sign into the Company Portal app?Q1 - This happens only during the restart required in removing symantec drive encryption, After that does not occur, I suspect its because it does not recognize it as removed fully yet until the second restart.
Q2- Bitlocker policies is applied via Intune(Co-managed Hybrid Entra ID and enrollment done via device credential not user credential since upn mismatch is not possible) however we can see recovery key in Intune and company portal but not in user accounts.
Q3- Intune license user is usually logged in already to office/company portal(uses same credentials for Office 365) when this occurs.
