Automatic Bitlocker on Windows 10 during Azure AD Join


There are a lot of myths on how to automatically trigger Bitlocker on an Azure AD Joined Windows 10 device, let’s hope this post will get you some answers.


Windows 10 will automatically encrypt the local drive when joining an InstantGo capable device to Azure Active Directory (AAD). An AAD Join can either done during the “Out Of Box Experience” (OOBE) or when Window is installed by going to the “About” screen, here you have the option to Azure AD Join the device.

As an admin you can configure Azure AD in such a way that the device is automatically registered in your Mobile Device Management solution.

Important note: You cannot use Microsoft Intune (or any other MDM) to specify a policy and force Bitlocker on a Windows 10 PC. This is done automatically during an Azure AD Join.

What does “InstantGo capable device” mean?

InstantGo (formerly known as Connected Standby) is a very low power state that some devices support. It’s very like your mobile phone, it’s almost switched off but still can receive text messages, e-mails and switch to a different power state when receiving phone calls.

A growing list of devices support InstantGo, you can manually check if your device supports this powerstate as follows:

  • Open a command prompt
  • Type “powercfg /a”

Devices that have InstantGo support will return “Network Connected”:

clip_image002

If your device does not support InstantGo (and therefore: no automatic Bitlocker during Azure AD Join) you will get something similar to this:

clip_image004

Keep in mind that this also applies to Virtual Machines. Automatic Bitlocker during Azure AD Join requires physical InstantGo Capable devices.

Where do I find the recovery key?

Users can retrieve their recovery key by going to http://myapps.microsoft.com, select Devices and select the device for which they would like to get the recovery key:

clip_image006

As an Azure tenant admin you can find the recovery keys for your users by going to https://manage.windowsazure.com, browse to your Active Directory, go to the Users tab and select the user who enrolled a specific device. Browse to Devices and change the dropdown list to view Devices.

clip_image008

Find the device for which you would like to have the recovery key and hit Details.

clip_image010

“I have InstantGo capable devices but Bitlocker is not enabled automatically during an Azure AD Join”

If you are sure your device is InstantGo capable (e.g. Surface Pro 3 or Surface Pro 4) it could be that the image you are using has Automatic Bitlocker during AAD Join disabled – this is controlled by a registry key.

Update October 2016: The surface recovery image has been updated to fix this issue.

Recently we have seen this issue with the Surface Pro 4 Recovery Images. Until the Recovery images are updated you can work around this by either:

  • Use a vanilla Windows 10 (1511) ISO or media, install Windows 10, perform the AAD Join. Either inject the Surface Pro drivers into the image in advance or install the drivers manually afterwards.

OR

  • During the Out Of Box Experience (OOBE) hit SHIFT-F10 on your keyboard, this will bring up a command prompt. Fire up REGEDIT and browse to

HKLM\System\CurrentControlSet\Control\Bitlocker\

Make sure that “PreventDeviceEncryption” is set to “0”

clip_image012

If you liked this post – please consider leaving a reply.


Comments (21)

  1. Jari Kukkonen says:

    Nice post, thank you very much.

  2. It is a very cool post – do you know if it will change in the feature that is only devices with InstantGo support that are bitlocker encrypted??

  3. So devices that don’t support InstantGo, can you still manually encrypt? I haven’t gone through it (yet) but there is an option to manually enable bitlocker and get an option to backup key to the Cloud. If so, is there a way to run a script to encrypt
    after the AAD join?

  4. Per Larsen: I can’t disclose anything on that unfortunately.
    William: Yes, you can still manually enable Bitlocker and save the recovery key to AAD. I haven’t seen any script to do this and I’m not sure if it’s possible at all to automate this yourself. Intune executes MSI’s in the SYSTEM context so that adds another
    layer of complexity from a impersonation perspective.

  5. Thanks Pieter. I have some automation that comes down via Intune as System, reboots the machine and starts the true automation at the next logon of the user so getting it scripted for the user isn’t an issue. Hoping for a future update that allows for
    a scripted process.

  6. William: You could try to use manage-bde to start bitlocker and save the recovery to AAD. If you succeed – please report back and we can write a joint blog 😉

  7. Michael Salanson says:

    Pieter: I have done some work on this and was going to create the MSI package. The process was to create a batch file that would do the following: –

    Pre-Requisites: –
    Create a OneDrive account for the admins to control

    – MSI Container deployed through InTune
    – Run a VBScript to open up internet explorer and login to the OneDrive with the account that holds the share
    This is required to get the authentication setup for the OneDrive area
    – Run a Net Use command against the HTTPS link and map the OneDrive Business to a local drive
    – Run the Manage-bde to run Bitlocker and place the key onto the OneDrive Business drive that is mapped
    – Run Net /Delete to close the mapping
    – Run a VBScript to shutdown internet explorer
    – Run commands to remove the VB Script files from the device
    – Shutdown the script
    – MSI Container requests a forced reboot of the machine

    The whole process would save a BEX file to the One Drive that the admins could use to recover the machine.

    Problems faced was only to do with the inconsistency of the drive mapping. It would work sometimes, but it was to erratic. The rest of the script works fine.

    There are applications that will allow the mounting of the OneDrive Business more consistent, but requires licensing and installation.

    The process I was going to use was going to be limited to a test group and I do not recommend for a large workforce.

    I am not sure if that was what you were thinking of, but if it could just be a little more consistent in regards to the mapping of the drive that would have made it an alternative for non-S0 state devices.

    The batch file runs at user level.

  8. Very interesting Michael. I reckon you create the drive mapping in order to make manage-bde save the recovery key (since it needs to be on an external drive). Manage-bde doesn’t support backing up the recovery key to AAD (yet) so a creative solution is
    required in the interim.
    Just thinking of the top of my head: what about creating a local share and mapping a local drive (not sure if that fools bitlocker to save a recovery key to that location) or creating a ramdisk (e.g. using lmdisk) and backup the recovery key to that drive.
    Afterwards you use a standard GET/POST request to a server that contains the recovery key, e.g.
    https://webserver.contoso.com/storereckey.asp&key=12345&hostname=host. Then you can extract the key from the logfiles on the server side. I’m sure we can get up with something
    and help others.

    1. Jos Lieben says:

      hmm, I am seriously considering writing up a script wrapped in an MSI that enables-bitlocker and then saves it to a secure sharepoint list or such….a simple workflow would suffice, and most who run into this lack of functionality in manage-bde or backup-bitlocker* will have Sharepoint Online…

    2. herman ohlsson says:

      Pieter Wigleven, any news regarding a workaround for backing up keys to Azure AD with script/feature/woarkaround?

      1. No news yet, I will share info asap.

  9. Michael Salanson says:

    That is correct for the Manage-dbe is that we have to have a drive mapped and it has to be an alternative drive from the drive being encrypted.

    The reason behind the OneDrive Business is that we wanted to keep to the nature of InTune by allowing the registration and activation of the machine to be done off-prem.

    I like the idea about the ramdisk and using that to then upload the file to say an SFTP location.

    I have access to an SFTP service and I can check my script and see if I can modify it to move the file from the Ramdrive on the SFTP service.

    The only concern I have is that any script, service or applciaiton we have deployed from the MSI container needs to be removed, stopped and cleared so that we maintain security on the device.

    I like the idea of capturing the content and look at placing this into the AD if possible. There will be some steps between the file and the AD.

    I am not very clued up on that part of the process. I am interested in looking into this. I would have to place this into a private project as workload has now pulled me into another direction.

  10. JCC1225 says:

    In testing we have done …. manually running Bitlocker from the control panel will allow a non-InstantGo device to store the recovery key to Azure AD.

    would certainly be nice if Microsoft provided a flag to manage-bde or to the bitlocker powershell cmdlet to store the key to Azure AD so this can be automated.

  11. Thank You very much definitely a very helpful tutorial. God Bless..

  12. Kapil Chopra says:

    Is there a way to export bitlocker recovery key for Azure AD joined clients via powershell? Do we have any module available?

  13. H. van Drie - KPN says:

    Hi Pieter,

    We’ve met before, and was wandering about an scenario which we now encounter where you might be able to help provide an answer…

    We’ve decided to utilize ConfigMgr to automate and speed up deployment (BIOS updates, drivers, driver software, basic apps) for systems which will be AzureAD joined and automatically enrolled into Intune. Process is quite simple and straightforward: deploy system as regularly using ConfigMgr, including Bitlocker w/ TPM keyprotector enabled, however without Numerical Password keyprotector enabled. As last steps in deployment we schedule ConfigMgr Client for removal on next reboot and run sysprep /oobe asynchronously using some Powershell scripting to overcome the OSDSetuphook from overwriting Sysprep CmdLine information for next pre-Logon OOBE setup which is scheduled to run on next system restart.

    This works fine, it helps us speed up the otherwise manual process tremendously and allows users to immediately execute AzureAD Join on their systems, with full drive/software support, through the OOBE process.

    However, what happens is that – even on – InstantGo Capable systems, is that during the AzureAD join apparently no Bitlocker Numerical Password keyprotector is created, and subsequently also nothing is backed up into AzureAD.

    Still need to test whether manually enforcing a Numerical Password, or Recovery Password (RP), keyprotector creation after Bitlocker is enabled with TPM keyprotector will backup the RP keyprotector into AzureAD during the join…

    You have any thoughts on this scenario? Is it possible to have AzureAD join process evaluate Bitlocker and only save RP keyprotector when TPM and RP keyprotector are already present?

  14. Jakob says:

    It would be really nice if we can store the encryption key with powershell or manage-bde in AzureAD so we can easily automate it…

  15. Trent Boorman says:

    Any details about how to Encrypt a Boot Camp partition on a 2015 Macbook Pro Retina would be greatly appreciated

  16. Hi. I have been looking into this with the latest Windows 10 build and a reset Surface Pro 4, it seems there now is a now key available here. “PreventDeviceEncryptionForAzureADJoinedDevices” which is set to “0” by default. Maybe this is the fix for this and that updated Windows 10 Aniversary Surface Pro 4 devices will actually auto enable Bitlocker now.

  17. Fabien Delhaye says:

    Thanks a lot for your post, especially for last part about recovert images, you spare me a lot of time!

  18. herman ohlsson says:

    Is there ANY ways to automate storing Bitlocker keys to Azure AD on a Windows 10 device , after adding it to AZURE AD (native)
    Any script, registry etc than can make this easier than let the endusers encrypt the device and when asket to store keys, then choos Azure AD?