Where is the Bitlocker Key stored within Microsoft Azure AD

Storing your Bitlocker key

When you enroll your  Windows 10 devices with  Microsoft Intune, you have the posibility to store your Bitlocker recovery keys in Azure AD. There are two ways to store the Bitlocker key the proper way

  1. Store the Bitlocker key into Active Directory (on-premise)
  2. Store the Key Into Azure AD (Cloud)

When you use the Azure AD join and activate Bitlocker, you get the option to store the Recovery Key in Azure AD. When you walk through the Join or register the device wizard.

The Key will be stored in the Cloud/ Azure AD. To get these keys in the Classic Azure Portal follow the steps below

Classic Azure Portal steps

  1. Open Azure AD in the Management Portal https://manage.windowsazure.com
  2. Open the Users tab and search/browse for the account you need to find recovery key for, then open it.
  3. Go to the Devices tab, and in the View box, select Devices.
  4. Select the affected device, and click View Details.

All registed recovery keys should be visible

(New) Azure Portal

Most of you will probably use the (new) azure Portal, to find the keys here is a little different but not to much. Follow the steps bellow to get the recovery keys from Azure AD

  1. Open Azure AD in the Management Portal https://portal.azure.com
  2. Open the Users and Groups blade and find the user involved.
  3. Go to his registred devices of the user.
  4. Click on the Device where you need the key from,

You will find the recovery key at the bottom of the device information

3 thoughts on “Where is the Bitlocker Key stored within Microsoft Azure AD

  1. Is there a way to save the Bitlocker recovery key to BOTH on-premise AD and AAD? Now that our devices are registered in both AD and AAD, the recovery keys are only stored in AAD. That is giving us false errors in our reports that check Bitlocker health as they only run off on-premise AD.

    1. You can try to create something with OU in AD to separate devices so you can control some machines in AD with policies and others in AAD with device configuration. But to be honest i wouldn’t go for that. I would choose for one authoritative (AAD) and go from there. It is the best and safest solution in my opinion even if you are using Co management or whatsoever.

  2. Thanks. I don’t even know how a small handful of PCs ended up registered in AAD, about 20 out of 1000. Some have their bitlocker keys there while others do not. We don’t join the Azure domain, only on-premise and we’re not using co-management. I think we’ll need to open a ticket with Premier to find out what’s happening.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.