Escrow BitLocker recovery keys to Azure AD during Feature Update to Windows 11


As promised, I’m continuing my Windows 11 journey, this time giving you a small nugget on how to escrow BitLocker recovery keys to Azure AD during a Windows 11 Feature Update.

In my specific scenario, the recovery keys has so far been stored in on-premises AD. For Windows 11, we change that, and store them in Azure AD instead.

For your convenience, find links to my previous Windows 11 posts here:

Preliminary details

To keep it short and sweet for now, this post assumes you know a little something on the SetupConfig.ini file as well as the custom action script SetupComplete.cmd.

If not, there are some reading to do in the links down below. I will elaborate greatly on these topics in a near future, covering my entire Windows 11 WaaS process, but for now you’re better off knowing something already.


I’ve extended the script (FU-Script.ps1) I created back in January, with the ability to escrow recovery keys to Azure AD.


The script still creates the SetupConfig.ini file, as well as any of the custom actions scripts used: SetupComplete.cmd as well as PostRollBack.cmd (in this scenario, only SetupComplete.cmd/.ps1 is used).

The script is located here on my GitHub repository: Windows-11/FU-Script3.0.ps1 at main · imabdk/Windows-11 (

  • NOTE: I bumped the version to 3.0, but in a separate file to keep the history of my previous posts.

The script still does all the things that the previous posts described, so I’m not covering those in details again. Read these for complete details:


SetupComplete.ps1 now has a $bitLockerRecoveryKeystoAAD option.

  • Configure $bitLockerRecoveryKeystoAAD to $false if you don’t want to escrow BitLocker recovery keys to Azure AD
  • Configure $bitLockerRecoveryKeystoAAD to $true if you do want to escrow BitLocker recovery keys to Azure AD

The actual code for escrowing the BitLocker recovery keys to AAD is pretty simple. See below snippet.

  • NOTE: If you have more than one drive encrypted with BitLocker, you will have to edit the script to accommodate that. The script currently only looks for BitLocker on the systemdrive.

Once SetupComplete.cmd/.ps1 has run successfully, I’m tattooing the status into registry for inventory purposes with ConfigMgr (more on that in an upcoming post).


Now, once upgraded to Windows 11 and the Setupcomplete.cmd/.ps1 has run successfully, you will find the BitLocker Recovery Key in Azure AD.

Below snippet is from browsing -> Azure Active Directory -> Devices -> BitLocker keys (preview)

It’s also possible to browse the BitLocker recovery keys using Microsoft Endpoint Manager.

Below snippets are from browsing -> Devices -> <Device in question> – Recovery keys

Finally, it’s also possible for the regular users, to browse to find the BitLocker Recovery keys themselves. See below snippet:

  • NOTE: This particular ressource (My Profile) can and should be protected by Conditional Access, requiring MFA or similar to grant access.


1 thought on “Escrow BitLocker recovery keys to Azure AD during Feature Update to Windows 11”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.