BitLocker backup into Entra ID

Copper Contributor

We are in the process of setting up Hybrid Join. When I try to backup the bitlocker key to Entra ID I get the following error in the event viewer 

Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: *****************************

Error: Unknown HResult Error code: 0x80072efe. 

When I run the backup powershell script on the computer i get the following error: 

DLock01_0-1715103643144.png

I have logged in with my FQDN on the computer. I show the computer is compliant and CO-Managed. 

I have also blocked the GPO that was handling the bitlocker from being pushed to the computer. I have restarted and ran gpupdate /force multiple time. Any assistance would be helpfull. 

I am unable to find anything online to resolve this issue. 

11 Replies
What is the status of BitLocker encryption on the device? Have you checked the BitLocker API event viewer log?
The status of the BitLocker Encryption shows Fully Encrypted.
manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]

Size: 117.44 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password


The event Viewer log shows
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {***************************}
Error: Unknown HResult Error code: 0x80072efe
Anything in leading up to the eventvwr log you shared? “The event Viewer log shows
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {***************************}
Error: Unknown HResult Error code: 0x80072efe”
FYI: the traceId changes each time. Which i think probably is normal.
The eventvwr log leading up to the errors are just information events and warning events.
The warning event: "BitLocker resealed boot settings to the TPM for volume C:."
Information event:
"BitLocker successfully sealed a key to the TPM.
PCRs measured include [7,11].
The source for these PCRs was: Secure Boot."
and
A trusted WIM file has been added for volume C:.
The SHA-256 hash of the WIM file is: (random characters)
Is the endpoint able to communicate with Azure services? Do you use FW\proxy with ssl inspection enabled?
Yes the machine is Hybrid joined to Entra ID and is compliant in EndPoint Mgmt. No we dont use FW\proxy.

@DLock01 - can you backup the bitlocker locker using the GUI

 

- open control panel

- go to bitlocker

- select back up your recovery key

- select save to your azure account

 

go to azure portal > devices > find your device > bitlocker should show up

Can you answer the following?
1. Where are the BitLocker policies applying from? GPO or Intune
2. Is the issue affecting a particular model or multiple?
1. We are using GPO. I have even tried to block the GPO and configure the Bitlocker policies in Intune. Then reboot the computer. The policies inside Intune show a green check mark but the Bitlocker Recovery Key is still blank.
I am a intune admin and a Global Reader for Entra ID
2. Affect all models.
The compliance in Intune may not necessarily mean that the policy settings are taking into effect successfully. Can you check in the eventvwr again whether BitLocker policies from Intune and applying correctly without any errors or not? Also, can you verify for the PowerShell script? https://rahuljindalmyit.blogspot.com/2021/06/how-to-force-escrowing-of-bitlocker.html
So i checked the event viewer and I get the following entries
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {redacted}

Error: Unknown HResult Error code: 0x80072efe