This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 13%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hi,
We have received inquiries from users that their private computer is asking for a Bitlocker key. Looks like that the users had downloaded the Office 365 apps on their private computer and logged in with their Microsoft 365 (work and school account) to activate the Office 365 apps.
After that, the computers were automatically Azure AD registered, which led to Bitlocker being automatically activated on their private computer - and the Bitlocker key "secretly" got stored in Azure AD (without the users knowing).
Is there any solution for a Global Admin in Microsoft 365 to prevent private computers being Azure AD registered, or prevent Bitlocker activating for Azure AD registered computers?
Best regards,
Sukhman
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 80%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I just discovered that Bitlocker is active on my laptop. This laptop is a Dell that I removed the original hard drive from and installed a 4TB hard drive. I did a completely clean install of Windows 11 using a volume license key. I have never installed Office 365 on it and never will. Yet somehow, Bitlocker was activated. I have never activated Bitlocker on any computer because of the numerous problems I've seen with it. Fortunately, I discovered that it's active, so I immediately printed out the recovery key and will proceed to decrypt the hard drive.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 99%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
This also happened on my laptop 2 days ago. My Bitlocker key was not in my ms account. I have tried to hit aka.ms/aadrecoverykey. But I get an access denied error. How can I resolve AD access to restore my data??
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Thanks for your post!
Is there any solution for a Global Admin in Microsoft 365 to prevent private computers being Azure AD registered, or prevent Bitlocker activating for Azure AD registered computers?
Short answer: not really, but there are some options available depending on your end goal.
If you want to unmanage the devices altogether, you can use enrollment restrictions in Intune to prevent personal Windows devices from enrolling in Intune. Or you can disable the encryption from the device itself, as mentioned here.
Otherwise there is an endpoint protection policy where you can set Bitlocker to "Not configured" under Endpoint security > Disk encryption > Create Policy. But there is no option there to disable it entirely and users who select "Allow My Organization To Manage My Device” may still end up with devices that are registered with Bitlocker keys in Intune.
The Bitlocker process is a automated process in Windows and does not need any policy to get enabled. Bitlocker will automatically encrypt the device and back up the recovery key in the following scenarios:
1) When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
2) If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
3) If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives Group Policy setting, and select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
4) Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
This is partly a security measure because if the device gets broken you need the Bitlocker recovery key from Azure AD and if it's deleted from Azure AD, you will lose your data.
I am happy to share your feedback along to the product team if you feel that improvements should be made to the available options.
Resources:
Overview of BitLocker Device Encryption in Windows
How to disable Bitlocker for Azure AD Registered machines
Disable Bitlocker for BYOD
-
If the information helped you, please Accept the answer. This will help us and other community members as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello
Thank you for your question and reaching out. I can understand you are having query related to Disable Bitlocker on Azure AD joined machines.
If you are using Intune then You can use enrollment restrictions in Intune to prevent personal Windows devices from enrolling in Intune.
Reference : https://learn.microsoft.com/en-us/answers/questions/523911/bitlocker-for-azure-ad-registered-machine.html
------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--