Automatic deletion of BitLocker recovery keys from Azure AD

BitLocker recovery keys will be automatically deleted from device objects in Azure AD, in case they are deleted locally on the device. This will help keep Azure AD devices from accumulating too many recovery keys.

Prerequisites:

  1. The device is joined to a work account to get emails and access company resources.
  2. BitLocker is enabled.
  3. Windows edition is Pro/Enterprise.

Steps:

  1. Ensure your device is joined to a work account.
  2. Ensure BitLocker is enabled.
  3. Create an additional recovery password from an elevated command prompt and note down its ID: manage-bde -protectors -add -rp <driveLetter:> 

4. Backup the key you just created to AAD by typing the following command from an elevated command prompt:

manage-bde -protectors -aadbackup <driveLetter> -id <id> 

in my case,

manage-bde -protectors -aadbackup C: -id “{D63EB06E-BB0C-4993-BE73-F2FE83BE740F}”

5. Go to your device page on Azure Access Panel Profile and check if there is a BitLocker key by selecting Get BitLocker keys, that matches what you backed up in step 4.

6.

  1. Delete the key you created locally by typing the following command from an elevated command prompt:

manage-bde -protectors -delete <driveLetter> -id <id> (use id that is created at step 3).

In my case,

manage-bde -protectors -Delete C: -id “{D63EB06E-BB0C-4993-BE73-F2FE83BE740F}”

7. The key from the Azure portal should be deleted after a while (minimum of 3 hours). Go to the Azure portal for the device and make sure the key is not shown on the portal.