BitLocker Escrow Failure: Could not back up recovery information to Cloud Domain (0x801C0450)

Product: PowerSyncPro | Windows BitLocker | Microsoft Entra ID
Applies To: Entra Joined Devices | Hybrid Joined Devices
Severity: Medium

Symptom

During or after a PowerSyncPro migration, the following error is encountered when attempting to escrow the BitLocker recovery key to Entra ID (Azure AD):

Could not back up recovery information to Cloud Domain, error code 0x801C0450

Cause

Error code 0x801C0450 resolves to DSREG_E_CERTPROVIDER_NOT_FOUND. This means the device could not locate a valid certificate to authenticate to Entra ID when attempting to escrow the BitLocker recovery key. The device tried to communicate with Entra ID but was unable to prove its identity.

This is most commonly caused by one or more of the following:

1. Entra ID registration not yet complete
The most common cause in a migration scenario. Entra ID device registration happens asynchronously via Microsoft Entra Connect and can take up to 30 minutes after domain join. If BitLocker escrow is attempted before registration completes, this error will occur.

2. Missing or expired Workplace Join certificate
The device certificate used to authenticate to Entra ID (MS-Organization-Access) is missing, expired, or corrupt.

3. Primary Refresh Token (PRT) not yet issued
The device has not yet obtained a valid PRT from Entra ID, which is required for cloud authentication.

4. Entra ID device object disabled or deleted
The device object exists in Entra ID but has been disabled or deleted, preventing authentication.

5. Clock skew
The time difference between the device and Entra ID exceeds 5 minutes, causing certificate/token validation to fail.

Resolution

Step 1 — Check device registration state

dsregcmd /status

Review the following key fields:

If AzureAdPrt shows NO, the device has not completed Entra registration and escrow cannot proceed.

Step 2 — Check the Workplace Join certificate exists

Get-ChildItem Cert:\LocalMachine\My | 
    Where-Object { $_.Issuer -like "*MS-Organization-Access*" }

If no certificate is returned, the device registration is incomplete or the certificate has been removed.

Step 3 — Wait for Entra Connect sync to complete

If the device has recently joined the domain, allow up to 30 minutes for Microsoft Entra Connect to sync the device object to Entra ID, then retry:

BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $KeyProtectorId

Step 4 — Force re-registration if certificate is missing

# Trigger device registration dsregcmd /join

Then restart the machine and retry the escrow.

Step 5 — Check device is not disabled in Entra ID

In the Microsoft Entra admin centre, navigate to:
Devices → All Devices → search for device name

Confirm the device status is Enabled.

Step 6 — Check for clock skew

# Compare local time against an internet time source w32tm /query /status

Ensure time is synchronised and within 5 minutes of UTC.

Prevention

In a PowerSyncPro migration workflow, ensure the following before attempting Entra BitLocker escrow:

• Entra Connect sync cycle has completed after domain join
• dsregcmd /status confirms AzureAdJoined: YES and AzureAdPrt: YES
• Workplace Join certificate is present in Cert:\LocalMachine\My
• Device object is enabled in Entra ID
• Device time is synchronised

Related Articles

• BitLocker Escrow Failure: Could not back up recovery information to Active Directory (0x1)