How to manage Bitlocker on a Azure AD Joined Windows 10 Device managed by Intune.

When joining a computer to AAD either manually or by using a provisioning package, Bitlocker will be enabled automatically if your device has the necessary prerequisites. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. So this blog post is both for the end-user and IT-pro I guess.

In this scenario we have configured a Device Compliance Policy in Intune where we require Encryption of data storage on devices and sent the policy to all Mobile Users. Like so…


Now, from the user side, they will receive a notification that their device is not compliant with company policy and that Encryption is needed. Click on the notification to start Encryption process.


Make sure you do not have any other Device Encryption software installed and click Yes.


Make sure that you save the recovery key to your cloud account. You will be notified that the recovery key is saved.



Choose the new Encryption mode (which is Xts Aes 128)


Start encryption and go to a long lunch. Smile This can take some time… But know that you can work as normal alongside the encryption process.


Confirm that the encryption process is complete.


Now the encryption process is done and your data is secure. But how do we recover the drive in the case where we loose access to it. Well the key is stored in AAD and can be recovered easily by the end-user itself or by an administrator.

To retrieve the recovery key go to the following link and login with your corporate credentials (Work/School-account):

Find your computer by name and click on retrieve Bitlocker-keys




You can do the same in Azure Active Directory by going to Go to Users and Groups and search for the user.




And there you Go. There is no way to automate the Encryption process from Intune. But I hope we at some point will be able to execute PowerShell scripts, where we could automate the process. As far as I know only with Windows 10 1703 as the PowerShell commandlet BackupToAAD-BitLockerKeyProtector which you need to save the recovery key to AAD, is only in 1703 and up. If you want to experiment with PowerShell here is the script I created. It works and it simply does the same as the manual step above.

Stay tuned for more posts.  Smile

And do not forget to leave a comment if you have any questions.


About the Author:

Marius A. Skovli
Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management Solutions Extensive experience across Private and Public Sector Passion for Community Driven work, volunteering within Microsoft technology Great belief that sharing experience within fellow peers is key to creating a sustainable society Strong commitment to System Center User Group Norway as co-founder and current leader I am a technology enthusiast working as a consultant for the consultant company CTGlobal. I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. Back in 2005/6 I started working with System Management Server (SMS) 2003 and have been working with Enterprise Client Management ever since, where i today focus on helping customers design and implement solutions based on System Center Configuration Manager and/or Enterprise Mobility Suite from Microsoft. Other parts of my work consists of speaking and presenting at different events and seminars, doing research and blog about solutions I find and products I work with. I truly believe in a strong community where knowledge and know-how is essential. Creating creative arenas where it is possible for peers to spread the word about new technologies and solutions is key and as an act on this I co-founded System Center User Group Norway ( SCUG is an initiative where we discuss, preach and present new technologies and solutions in the System Center Space from Microsoft. This is a free arena for everybody to join that is interested in/or enthusiastic about Microsoft Cloud Platform (Enterprise Client Management or Cloud and Datacenter). Specialties: System Center Configuration Manager (SCCM2007-SCCM2012), Enterprise Mobility and Intune, Windows and Windows server deployment.


  1. Tobi April 26, 2017 at 16:39 - Reply

    Nice Posting and nice cmdlet!

    For bulk AAD joined devices that are not assigned to a specific user it also works using the cmdlet “BackupToAAD-BitLockerKeyProtector”. The venet log says successfully backed up. But how can we then access the recovery key? Any ideas?

  2. Mike M. June 29, 2017 at 19:49 - Reply

    Have you found a way to get a recovery key via PowerShell? In your step above (You can do the same in Azure Active Directory by going to Go to Users and Groups and search for the user), I do see the key, however I can’t copy it and can only view the entire key by hovering over it. I’ve looked through the new Azure AD Powershell Version 2 (, but nothing relating to getting the keys is listed.

  3. URL September 6, 2017 at 10:08 - Reply

    … [Trackback]

    […] Find More Informations here: […]

  4. uday September 15, 2017 at 2:19 - Reply

    I have done the bitlocker encryption policy and successfully pushed the policy on Windows 10 machines.however, I would like to know when will the recovery key updatedin the azure portal or is there any specificsetting to be made to set the recoverypath for the key ?


    • Marius A. Skovli
      Marius A. Skovli November 15, 2017 at 14:32 - Reply

      The recovery key will be uploaded to AAD computer object when the User starts the encryption process. For allways on-connected-standby devices it will happen when they do the Azure AD Join.

  5. jannik November 15, 2017 at 12:51 - Reply

    I’m also in the need to access the azure ad synced bitlocker key in a programmatic way, but didn’t found any solution yet.

  6. Paul Wetter April 26, 2018 at 20:14 - Reply

    Your solution seems to assume that KeyProtector[1] is the recovery password. This isn’t always the case. I think this would be better:

    $BLV = Get-BitLockerVolume -MountPoint “C:” | select *
    $BackupPassword = $BLV.KeyProtectors|Where {$_.KeyProtectorType -eq ‘RecoveryPassword’}
    BackupToAAD-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BackupPassword.KeyProtectorId

  7. Hugoadmin May 11, 2018 at 7:21 - Reply

    I have on-premises environment, and machines are sync to Azure AD. Devices(Windows 10 1803) showing up in Azure in two join types, “Azure AD registered” and “Hybrid Azure AD joined”. I as admin see users BitLocker keys when i select device that join type is “Hybrid Azure AD joined”. When I select identical device under join type “Azure AD registered”, BitLocker keys doesn’t showing up and because users are connected to devices through “Azure AD registered” join type they can’t see BitLocker keys in Do you have any suggestions how i can display BitLocker keys under “Azure AD registered” devices?

    • Peter May 29, 2018 at 14:15 - Reply

      Lucky you;
      I`m in the same situation, but the second device account only shows MDM MS Intune, no Join type, both no registration date. And no recovery keys are shows at both devices. Even if I have set the BitLocker policy Save BitLocker recovery information to Azure AD as required

  8. Kevin August 23, 2018 at 6:47 - Reply

    Dear Sir/Madam,

    Is that possible to export a report for all users in AzureAD that their bitlocker recovery keys have been uploaded to Azure AD or not?

    Thanks & Regards,

  9. Sergei August 27, 2018 at 17:13 - Reply

    Thanks. Very good article. I would be grateful if you could tell me what I’m doing wrong. Run Your script remotely via Enter-PSSession. This line says “BackupToAAD-BitLockerKeyProtector-Mount Point” C: “- KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId” get “BackupToAAD-BitLockerKeyProtector : Catastrophic failure (Exception from HRESULT: 0x8000FFFF (E_UNEXPECTED))”. Perhaps You have thoughts on this?

  10. Chris August 30, 2018 at 23:48 - Reply

    GOOD JOB!!!!

  11. msdhoni December 12, 2018 at 10:47 - Reply

    Great content useful for all the candidates of Windows Azure Training who want to kick start these career in Windows Azure Training field.

Leave A Comment