HAADJ with Intune Co-Management
Hello, -I have HAADJ tenant with Intune Co-Management. -AD connect syncs devices only and not users to Entra (as users are third party provisioned and federated). -Devices appear in Azure then are added to group for Intune policy enrollment. Enrollment is done via GPO. -They get enrolled in Intune using Co-management with SCCM, Auto MDM enrollment with device credentials and appear in Intune as co-managed. -Bitlocker is applied via Intune on the devices to encrypt fixed data drives and operating system drives. GPO is applied to avoid backing up recovery key in AD as explained here. https://www.burgerhout.org/the-bitlocker-haadj-nightmare/ Question(s): 1-For testing, We encrypt and remove semantics drive encryption, Restart is done during removal then recovery key screen appears and key is requested to access device. Second Restart after uninstall, The Key is not requested. 2-After testing Recovery key is stored in Intune but not stored in the below location https://myaccount.microsoft.com/ -> Devices -> Manage Devices -> Select devices -> View Bitlocker Keys (It appears only in test environment where enrollment is done via User credentials as opposed to device credentials) 3-Devies in Azure under the following URL https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId/Devices -> Show an owner when device is first moved with AD sync however later on owner is removed and the behavior is very random, However in Intune, Devices show a Primary user logged in as long as someone is logged in to office which is fine and acceptable. So what could be the reason for issue in Azure/Entra?
Intune BitLocker silent encryption not working on Hybrid Azure AD devices.
I have been facing an issue to implement Intune BitLocker silent encryption on Hybrid Azure AD joined devices. When logged into the device after Autopilot is completed (Account setup phase is skipped) I can see device is backing up recovery key to only AD but not to Azure AD for OS drive. Even BitLocker API log is not showing any failure log entry like that it is failed to back up recovery key to Azure AD. After a day it is giving Failed to enable silent encryption. Error: Access is denied in BitLocker API even though encryption is completed on the OS drive. I have seen sync as well and the device is syncing perfectly fine. After OS drive encryption is completed then only fixed drive encryption is starting and it started encryption after a day and it backed up the recovery key to Azure AD successfully and it didn't give any error. If I implement Intune BitLocker with out Autopilot that is working fine but with with Autopilot it is giving issue like this. Thank you in advance!
