This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERW%3C/text%3E%3C/svg%3E)
How do you switch of bitlocker for microsoft entra registered devices? Every devices that gets registered to microsoft entra gets a bitlocker encryption key but we want to switch this off as we do not want to control this, is there an option to turn this off?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Robert Warner,
To turn off BitLocker encryption for devices registered in Microsoft Entra, you need to adjust your organization's device management policies in Entra ID or Microsoft Intune. By default, BitLocker encryption can be automatically triggered on devices managed through Azure AD or Microsoft Entra, particularly if Intune's security policies enforce it.
If you want to unmanage the devices altogether, you can use enrollment restrictions in Intune to prevent personal Windows devices from enrolling in Intune. Or you can disable the encryption from the device itself, as mentioned here.
Otherwise, there is an endpoint protection policy where you can set BitLocker to "Not configured" under Endpoint security > Disk encryption > Create Policy. But there is no option there to disable it entirely and users who select "Allow My Organization to Manage My Device” may still end up with devices that are registered with BitLocker keys in Intune.
The BitLocker process is an automated process in Windows and does not need any policy to get enabled. BitLocker will automatically encrypt the device and back up the recovery key in the following scenarios:
This is partly a security measure because if the device gets broken you need the BitLocker recovery key from Entra ID and if it's deleted from Entra ID, you will lose your data.
Go to Intune.microsoft.com and sign in with your admin credentials.
-In the left-hand menu, navigate to Devices.
-Under the Devices section, select Configuration profiles
-Check if there are any existing BitLocker policies applied to devices. These policies may be under a Windows Security or Endpoint Protection profile.
-If there is an existing policy, you can modify or delete it. If you don’t have a policy, you will need to create one.
-To disable BitLocker, you can either delete the existing BitLocker configuration profile or configure it to not require encryption.
-Select the policy and click on "Delete" to remove it from the enrolled devices.
Go to Endpoint security or Device compliance policies in Intune.
-Make sure that there are no compliance policies enforcing BitLocker or other encryption mechanisms. After making these changes, sync the affected devices so that the policy updates can be applied.
I hope this clarifies things.
This is not the problem it is just when a user leave the company and you remove there device from entra or disable the device from your tenant it doesn't remove the bitlocker key from there device. So once the user leaves it should remove the key once you remove them from your tenant. As in 2 years time if the user gets locked out and needs that key they will have no way of retrieving it. Why doesn't it remove the key when they are no longer associated with your tenant?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Hi Robert Warner, I would like to understand why it is not possible to share the recovery key with the offboarded user who is leaving with the device?
Hi Robert Warner,
There should never be a reason to decrypt an active device. Hence there is no direct way to do this as this isn't a standard or generally necessary practice. Using a PowerShell script is the only way to do this if this is ever truly necessary.
If this answer was helpful, please click "Accept the answer" and mark Yes, as this can help other community members.