none
Azure AD - Bitlocker Key Storage? RRS feed

  • Question

  • Hi All,

         Have searched online for an answer to this but not coming up with anything useful....

    I'm using tablet that I've upgraded to Windows 10, and domain joined it to my Azure AD (Azure AD only, not on-site AD or federation).

    Before domain joining it I had encrypted the OS drive with bitlocker and backed up the key to a Microsoft account. Since domain joining it I won't  be using that account any more (no need now with Azure AD :) )

    The question is, if I only use my Azure domain login, when I select to backup the bitlocker key to my "Microsoft Account", where is it going and how can I retrieve it? (aka, does Azure AD support bitlocker key backup)

    I've had a look around the Azure AD portal and can't see anywhere that represents AD devices, keys etc.

    Hopefully the above makes sense!


    Nick Colebourn (MCM / MCSM SQL Server)

    Monday, August 3, 2015 2:22 PM

All replies

  • Not sure why this thread has been moved by a mod? It's quite clearly related to Azure AD and the capabilities of Azure AD in relation to bitlocker. the fact that it's based on a Windows 10 tablet is incidental. Can a mod move it back to the Azure AD forum so I have half a chance of a decent answer?

    Nick Colebourn (MCM / MCSM SQL Server)

    Tuesday, August 4, 2015 5:58 AM
  • Hi Nick,

    Thank you for your question.

    By my understanding, the location of backup depend on yourself.  If you backup it to Azure, it will be stored in Azure, it you backup it in local, it will be stored in local.

    If you want to retrieve it in Azure, you could consult Azure forum.

    If there are any questions regarding this issue, please be free to let me know.

    Best Regard,

    Jim


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Wednesday, August 5, 2015 11:25 AM
  • With the greatest of respect please don't comment on this unless you know about the issue. There is no ability to back up to "local". When backing up the bit locker key you can either "Backup to A Microsoft Account", "Save to File" or "Print".

    I originally asked this question in the Azure forum but another forum adviser decided the thread needed to go into a Windows 10 section for some unknown reason. My request to move it back has been ignore. To be honest it's what I've come to expect from the poor emphasis Microsoft now puts on it's technical competencies whilst spending the budget on marketing instead.

    The question is really simple but let me re-phrase it:

    When a device is AD Azure ONLY joined, where do bitlocker key backups get stored when selecting the "backup to A Microsoft Account" option??


    Nick Colebourn (MCM / MCSM SQL Server)

    Thursday, August 6, 2015 3:46 PM
  • Hi Nick

    When i tried to do this I simply got a message saying "Can't sign in to your Microsoft account" and suggesting I log out and sign in with a Microsoft account. 

    Hopefully they will add the option to back up straight to an Azure AD account but I haven't found the option yet.

    I hope this helps.

    Tom

    Thursday, August 20, 2015 1:48 PM
  • I have just been looking in Azure Ad and found the Bitlocker keys. 

    Login to the Microsoft Azure AD management site and  select the Active Directory that the user is a part of. Then select "Users" and click on the user that has joined the device, then go to "Devices" and select the device and click "View Details" at the bottom. This should then give you the Bitlocker Recovery Key.

    Tom

    Thursday, August 20, 2015 2:29 PM
  • Thanks for the reply Tom, appreciated.

    My "View Details" is greyed out, possibly due to my AD being the bog standard version. Do you have Premium AD or the standard version?

    Cheers

    Nick


    Nick Colebourn (MCM / MCSM SQL Server)

    Thursday, August 20, 2015 2:45 PM
  • I have the same issue. 

    Not much information about this. 

    Did you ever get any success?

    Wednesday, September 28, 2016 12:25 PM
  • Hi Herman, so it was a case of the capability not being ready when the product was released (as it seems is the case in a lot of MSFT products nowadays!) If I go to my Azure AD joined Windows Laptop or Tablet now I get the option to "Save to your cloud domain account" which then backs the key up to Azure. If you then check out your devices in Azure AD you can see the bitlocker key(s) against the device.

    I think this was added only recently though so I'd make sure you're running the W10 anniversary update if possible.

    I just wish MSFT could come back in these scenarios with "we're not there yet with that user case, it's on the roadmap and should be around in approx X months". Would save so much time and trouble.

    HTH

    Nick



    Nick Colebourn (MCM / MCSM SQL Server)

    Wednesday, September 28, 2016 12:35 PM
  • Thanks for the reply Nick. 

    Im very suprised that MS does npt have any solution for automatic storing Bitlocker recovery keys on Windows 10 devices (tablets is autoencrypted and backing up the keys when joining azure ad). 

    We are deploying hundreds of Windows 10 laptops soon, the users are adding it themself to Azure AD and we want to enable Bitlocker on them.

    The only working solution right now is to force the end users to manually enable Bitlocker and chose the "Store Bitlocker keys in Azure". 

    We are looking for a automation of this. 

    If we enable Bitloker prior to adding the device to Azure, the keys arent backed up automatically, which would be a perfect scenario.

    Thursday, September 29, 2016 7:42 AM
  • No worries.

    This link might help you depending on the devices you're deploying:

    https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2016/03/14/automatic-bitlocker-on-windows-10-during-azure-ad-join/

    My deployment knowledge is way out of date nowadays but If I was a guessing man I'd suggest you could probably generate a PowerShell script to do the job as well and get the users to execute it to perform all the operations in one go. Pure guess though as my specialty is more in the SQL Server sphere.


    Nick Colebourn (MCM / MCSM SQL Server)

    Thursday, September 29, 2016 8:14 AM
  • Anyone get an answer to this? Since Microsoft have just prevented you from having a Microsoft and Office 365 account with the same email address, we're having to join new users/laptops to Azure AD so they can logon to the laptop with their single Office 365 account. I'm okay with this as it was confusing before but we encrypt with BitLocker by default and I need to find out how to recover the key from Azure AD.

    I can see the laptop in devices tab but "View details" is grayed out.

    Thanks, Rob.

    Thursday, October 6, 2016 3:55 PM
  • Hi Rob. This is my path to it:

    Old portal (manage.windowsazure.com)

    Active Directory

    Select your directory

    Users Tab>Select your user.

    Select "Devices" tab

    Select the device and click "View Details"

    This then shows the bitlocker key ID, the recovery key and the drive type.

    If the option is greyed out (it used to be greyed out for me and I can't remember how it ended up not greyed out, I certainly didn't change anything) then you're probably at the stage where you'll need to raise a support ticket.

    HTH.

    Nick


    Nick Colebourn (MCM / MCSM SQL Server)

    • Proposed as answer by Steve Goldner Sunday, February 26, 2017 4:44 PM
    Friday, October 7, 2016 9:03 AM
  • Nick,

    Thanks!  I had updated a Lenovo test device UEFI firmware and it went into bitlocker recovery mode.  The screen stated to visit  https://account.activedirectory.windowsazure.com/n/#/devices to recover the key.  But, when I went to that URL the page simply displayed this message "This functionality is not enabled or not available."  I was able to find the key following your steps/directions from your post.

    Steve

    Sunday, February 26, 2017 4:48 PM
  • Hi Steve, glad the detailed steps worked for you. Interesting to see this issue still cropping up almost 2 years after it was identified!

    Cheers

    Nick


    Nick Colebourn (MCM / MCSM SQL Server)

    Wednesday, March 8, 2017 9:16 PM