Forum Discussion
BitLocker backup into Entra ID
We are in the process of setting up Hybrid Join. When I try to backup the bitlocker key to Entra ID I get the following error in the event viewer Failed to backup BitLocker Drive Encryption recover...
What is the status of BitLocker encryption on the device? Have you checked the BitLocker API event viewer log?
The status of the BitLocker Encryption shows Fully Encrypted.
manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 117.44 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
The event Viewer log shows
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {***************************}
Error: Unknown HResult Error code: 0x80072efe
manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 117.44 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
The event Viewer log shows
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {***************************}
Error: Unknown HResult Error code: 0x80072efe
- Anything in leading up to the eventvwr log you shared? “The event Viewer log shows
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {***************************}
Error: Unknown HResult Error code: 0x80072efe”- Is the endpoint able to communicate with Azure services? Do you use FW\proxy with ssl inspection enabled?
- Yes the machine is Hybrid joined to Entra ID and is compliant in EndPoint Mgmt. No we dont use FW\proxy.
- FYI: the traceId changes each time. Which i think probably is normal.
The eventvwr log leading up to the errors are just information events and warning events.
The warning event: "BitLocker resealed boot settings to the TPM for volume C:."
Information event:
"BitLocker successfully sealed a key to the TPM.
PCRs measured include [7,11].
The source for these PCRs was: Secure Boot."
and
A trusted WIM file has been added for volume C:.
The SHA-256 hash of the WIM file is: (random characters)
