Upload Bitlocker keys to Azure AD

Bitlocker is the Microsoft technology that allows you to full encrypt your Windows PC hard disk. This is a good thing as it provides additional security and protection for that device, especially if that device ever gets lost or stolen. Typically, Bitlocker will use the Trusted Platform Module (TPM) chip on your PC to provide the encryption key for BitLocker. This means that the user doesn’t have to type in a password to unlock their drive for use. Now having an automatically managed key raises a question, what happens if you actually need that key? If everything is automated and I never see the key how can I get access to it if needed? If, say, the original PC died and I wanted to recover the original encrypted drive how would I recover? To do that, you’d need the encryption key.

You can manually backup you BitLocker Recovery key to a file or USB drive however, if your device is Azure AD joined then that Recovery Key should be saved directly into Azure AD. Here’s how you check this.


If you are using something Microsoft 365 Business and Intune navigate to Intune inside the Azure portal. Select Devices.


Select All Devices.


Select the PC in question from the list.


Now select the Recovery keys option.


On the right you should see the Recovery keys listed. You’ll note here that I don’t see the expected BitLocker Key.


If you don’t see the Recovery Key for your device go to that device and open BitLocker management on your PC. Select the option to Back up your recovery key as shown.


Then select the option to Save to your cloud account as shown. This should then upload the Recovery Key to Azure AD, provided you have an Azure AD joined machine first of course.


If you return to the device in Intune and refresh the display, you should now see the Recovery key for you device as shown above.


If you do not have access to the Intune portal, perhaps because you are not an administrator, simply navigate to:


and login with your Microsoft 365/Office 365 credentials and view your profile. You should then see any registered device plus the option to get the BitLocker keys as shown. Remember BitLocker is for Windows devices, not iOS or Android.

Even though Azure AD joined machines should save BitLocker keys automatically, I’d suggest you go and have a look and make sure that they are indeed actually there! Best be sure I say.

5 thoughts on “Upload Bitlocker keys to Azure AD

  1. What about non-OS drives? I have the option to upload my OS drive recovery key to Azure AD, but not my external backup drive key.


      1. This is incorrect. I have my system drive and data drive encrypted with bitlocker backed up to my microsoft account. Each drive has its own bitlocker ID and key.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s