locked
Bitlocker recovery key backup to azure error 846 access denied RRS feed

  • Question

  • Hi everyone,

    Weird story: We have close to 100 workgroup laptops which are managed in SCCM (ICBM). We want to move them to Intune only without CMG. They all have BitLocker enabled on them. Here is what we do:

    1. Uninstall SCCM Client
    2. Change OS from education to pro
    3. Join to azure with laptop's owner user account
    4. backup BitLocker recovery key to cloud
    5. Set user as standard user.

    Most of these laptops are 1803 and we want them to be upgraded via Intune. After 15 successful laptops, a laptop was unable to backup to domain cloud. Checking with google I found out that an event log folder names BitLocker-API contains all the information about the BitLocker encryption process. I found error 846 detailing "Access Denied". My google search found nothing so far.

    I decided to manually upgrade to 1909 and got the same result in my BitLocker. I than attempted to disconnect from Azure, delete the computer from both Intune and Azure and rejoin to Azure. This time I got both the "Can't backup to domain cloud" and "Your Active Directory domain schema isn't configure" ???

    I am at a loss, I can't reset the computer because of the Corona Virus. 

    Any help would be appreciated

    Rahamim.

    Thursday, June 25, 2020 4:27 AM

Answers

  • Well, you could ask for help from AAD forum to see if they can give some ideas

    "Windows 10 Installation, Setup, and Deployment" forum will be migrating to a new home on Microsoft Q&A (Preview)!
    We invite you to post new questions in the "Windows 10 Installation, Setup, and Deployment" forum’s new home on Microsoft Q&A (Preview)!
    For more information, please refer to the sticky post.

    • Marked as answer by Rahamim Friday, June 26, 2020 10:38 AM
    Friday, June 26, 2020 7:49 AM

All replies

  • Hi Rahamim,

    For the error message: Your Active Directory Domain Services schema isn’t configured to run BitLocker Drive Encryption. Contact your system administrator

    The most likely scenario is that you have logged onto the computer with a local computer account rather than your windows domain account.  Try logging in with domain account and enabling BitLocker.

    Regards


    "Windows 10 Installation, Setup, and Deployment" forum will be migrating to a new home on Microsoft Q&A (Preview)!
    We invite you to post new questions in the "Windows 10 Installation, Setup, and Deployment" forum’s new home on Microsoft Q&A (Preview)!
    For more information, please refer to the sticky post.

    Thursday, June 25, 2020 6:26 AM
  • Hi Teemo,

    Thanks for your reply. As I wrote, this is an Azure joined laptop, it is not autopilot and the user that signed in is has administrative rights and is not a local account on the computer. Also, the computer will not be in any way joined to a domain other than Azure tenant.

    For clarity, before we joined to azure we created two accounts (We don't want to enable the local administrator). One is called Admin and the other is called the user's first name After joining to Azure and signing into the laptop with the user's email address, a new profile is created called the user's SamAccountName.

    Rahamim.

    Thursday, June 25, 2020 8:27 AM
  • Well, you could ask for help from AAD forum to see if they can give some ideas

    "Windows 10 Installation, Setup, and Deployment" forum will be migrating to a new home on Microsoft Q&A (Preview)!
    We invite you to post new questions in the "Windows 10 Installation, Setup, and Deployment" forum’s new home on Microsoft Q&A (Preview)!
    For more information, please refer to the sticky post.

    • Marked as answer by Rahamim Friday, June 26, 2020 10:38 AM
    Friday, June 26, 2020 7:49 AM
  • Hi Teemo,

    Good idea, I will paste this there and if there is an answer I will copy it here.

    Rahamim.

    Friday, June 26, 2020 10:39 AM