IBM Support

Windows 11 24H2 Task Sequence Fails at “Enable BitLocker” Step – Unable to Backup BitLocker Recovery Key to Active Directory

Troubleshooting


Problem

During OSD (Operating System Deployment) using Microsoft Configuration Manager (MECM/SCCM) or Microsoft Deployment Toolkit (MDT), the Task Sequence fails at the “Enable BitLocker” step on Windows 11 24H2 systems. The drive is successfully encrypted, but the step fails when attempting to back up the BitLocker numerical recovery key (password) to Active Directory Domain Services (AD DS).

Symptom

  • Task Sequence stops with error code typically 0x80070057 or 0x87D40006, or a generic BitLocker-related failure.
  • BDD.log / SMSTS.log contains entries similar to:
  • The local disk is encrypted and BitLocker is active (protector visible in manage-bde -protectors -get C:).
  • No BitLocker recovery object (ms-FVE-RecoveryInformation) is created under the computer account in AD.

Failed to save recovery password to Active Directory (0x80070057)

The parameter is incorrect.

BackupToAAD failed with error 0x80070057

  • The local disk is encrypted and BitLocker is active (protector visible in manage-bde -protectors -get C:).
  • No BitLocker recovery object (ms-FVE-RecoveryInformation) is created under the computer account in AD.

Cause

Windows 11 24H2 (Build 26100.x) introduced a change in the default BitLocker behavior during OSD:

  • When the Task Sequence runs the built-in “Enable BitLocker” step, it now attempts to back up the recovery key to Azure AD only by default (even in on-premises environments) unless explicitly told otherwise.
  • If the device is not Azure AD joined or hybrid joined at the time of the step, the backup to AAD fails.
  • The step is configured (by default in 24H2 templates) to fail the entire step if either AAD or AD DS backup fails, even if AD DS backup is desired.
  • Additionally, the required Group Policy settings or schema extensions for on-premises AD backup may be missing or not applied early enough in the task sequence.

Environment

  • Windows 11 24H2 (OS build 26100.xxxx)
  • Microsoft Endpoint Configuration Manager (Current Branch 2403 or later) or MDT 8456+ with ADK 10.1.26100.1 (Windows 11 24H2 ADK)
  • On-premises Active Directory (2008 R2 functional level and above, schema extended for BitLocker recovery)
  • Devices are domain-joined during the task sequence but not hybrid/Azure AD joined
  • BitLocker AD backup GPO applied, but not necessarily processed before the Enable BitLocker step

Diagnosing The Problem

  1. Review smsts.log located in
    • X:\Windows\Temp\SMSTSLog\smsts.log (WinPE phase)
    • C:_SMSTaskSequence\Logs\smsts.log (after formatting) Look for lines containing “BackupToAAD” and error 0x80070057.
  2. Run manage-bde -protectors -get C: – you will see a Numerical Password protector, confirming encryption succeeded.
  3. Check the computer object in Active Directory Users and Computers → Attribute Editor tab → confirm no ms-FVE-RecoveryInformation objects exist.
  4. Confirm the BitLocker recovery schema is extended (ms-FVE-KeyPackage and ms-FVE-RecoveryPassword attributes present).
  5. Verify the GPO “Store BitLocker recovery information in Active Directory” is enabled and linked correctly.

 

 

Resolving The Problem

Apply one or more of the following solutions (most customers use a combination of 1 + 2):

  1. Force the Enable BitLocker step to back up only to AD DS (recommended) In the Task Sequence, edit the “Enable BitLocker” step and set:
    o Recovery tab → Choose “Recovery key and package”
    o Uncheck “Wait for BitLocker to complete the drive encryption process…” (optional)
    o Most important: Add the following variable on the Options tab of the step: Variable: OSDBitLockerBackupToAAD Value: False This prevents the step from attempting Azure AD backup on 24H2.
  2. Use a custom script instead of the built-in step (alternative) Replace the built-in “Enable BitLocker” step with a “Run Command Line” or PowerShell step using manage-bde or the official Microsoft BitLocker scripts:
    manage-bde -on C: -RecoveryPassword -RecoveryKey F:
    manage-bde -protectors -add C: -adbackup -RecoveryPassword
  3. Ensure GPO is applied early Add a “Restart Computer” step and force GPUpdate before the Enable BitLocker step, or use a startup script to apply the BitLocker AD backup policy.
  4. If hybrid join is desired Ensure the device completes Hybrid Azure AD Join (via GPO or task sequence) before the Enable BitLocker step, so AAD backup succeeds.

After applying fix #1 (setting OSDBitLockerBackupToAAD=False), the task sequence completes successfully and the BitLocker recovery key is correctly stored in on-premises Active Directory.

This behavior is by design in Windows 11 24H2 and is documented in Microsoft’s updated BitLocker OSD guidance released in late 2024.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSTIPK","label":"Microsoft Windows"},"ARM Category":[{"code":"a8mKe000000004NIAQ","label":"Windows"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
26 November 2025

UID

ibm17252834

Page Feedback