Hi fellow professionals.

I have a question regarding BitLocker key recovery in AD. On-premises AD is based on 2008 R2, MECM environment is 1910 and Windows 10 is on 1909. 

I am working with a client who is seeing inconsistent recovery keys being updated into AD and seems to be intermittent. Devices can be either on the corporate network or using a VPN. What they are finding is if they need to recover the key it won't always update the value in AD. 

The devices are also managed by ConfigMgr (MECM) and also recovery can be performed by Microsoft BitLocker Administration and Monitoring. If the recovery is performed here it successfully writes the drive recovery key into the MECM database.

During the OSD built there is a MECM task sequence to enable BitLocker and enable the key recovery into AD. This first key after OSD build seems to always appear in AD, its the subsequent ones where it changes. 

My understanding is once you setup MECM Bitlocker and following post build of Windows 10 and the ConfigMgr client is installed, receiving MECM policies the MECM Bitlocker feature then takes over. 

I am just puzzled why the recovery key writes successfully for some devices and not others. I thought it maybe because they client doesn't have a CMG and it is unable to write the keys to AD over VPN however it appear to occur for corporate devices as well.

If anyone could clarify this it would be greatly appreciated.

Thanks