Is it possible to prevent a Bitlocker key from being stored in the Microsoft account?

Martin Fessler 16 Reputation points
2023-07-27T23:17:40.5066667+00:00

Hello,

as it is written in the documentation, there are situations where a bitlocker key is automatically saved in the Microsoft account:

Your device is a modern device that meets certain requirements to automatically enable device encryption: In this case your BitLocker recovery key is automatically saved to your Microsoft account before protection is activated.

An owner or administrator of your personal device activated BitLocker (also called device encryption on some devices) through the Settings app or Control Panel: In this case the user activating BitLocker either selected where to save the key or (in the case of device encryption) it was automatically saved to their Microsoft account.

Source: https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6

Is there a GPO/Registry Key to prevent the key from ever leaving the device?

Can I assume, that if I delete the key in my online account and then change the key and save it locally, it will not be uploaded automatically?

Thanks and greetings,
Martin

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Wesley Li-MSFT 4,576 Reputation points Microsoft External Staff
    2023-07-28T07:09:06.14+00:00

    Hello

    Yes, it is possible to prevent a Bitlocker key from being stored in the Microsoft account. There is a Group Policy setting called “Control use of BitLocker on removable drives,” which can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives. This policy can be used to disable BitLocker on removable drives.

    If you delete the key in your online account and then change the key and save it locally, it will not be uploaded automatically. You can back up the BitLocker recovery key for an encrypted drive by printing it, saving it to your Microsoft account, saving it to a USB flash drive, and/or saving it to a file where you like. It is recommended to store the recovery key separate from your computer, and make additional copies to be safe and have available if ever needed to recover the encrypted drive with. However, if you choose not to save it to your Microsoft account, it will not be uploaded automatically. You can also delete a backed up BitLocker recovery key on your OneDrive after it was saved to your Microsoft account in Windows 10.

    1 person found this answer helpful.
    0 comments No comments

  2. Will 425 Reputation points
    2023-07-28T04:43:56.6233333+00:00

    What you're referring to depends on your computer set up and your logon account. If memory serves, for the Bitlocker Reovery Key (BLRK) - IF

    1. Computer is domain joined
      • Then the key is saved to Active Directory.
    2. Computer is a standalone but you use a Microsoft account to log into your computer
      • The BLRK is saved to the Microsoft cloud
    3. Computer is a standalone but you use a local administrative user
      • Because there's no where to save it, BL should ask you where to save it - as a file or print it.
    4. Backing up after Bitlocker is enabled
      • It will ask you where to back it up to: Local file, save to USB key, print or Microsoft acount

    Bottom line: As far as I'm aware there's only one scenario where its automatically backed up to MSFT and you don't have a choice, it just does it automagically. Only other time is post-encryption and you get the choice.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.