PowerShell: Enable BitLocker and Backup Recovery Key to Microsoft Entra ID
A production-ready PowerShell script to enable BitLocker encryption on a Windows 11 device and automatically back up the recovery key to Microsoft Entra ID (formerly Azure AD).
5 min readUpdated March 29, 2026
Overview
This script enables BitLocker on the OS drive using the TPM protector, adds a recovery password, and backs up the recovery key to Microsoft Entra ID (formerly Azure AD) — all in one step. It is designed to be deployed via Intune, SCCM, or run manually on individual machines.
Prerequisites
- Windows 11 Pro, Enterprise, or Education
- TPM 2.0 chip present and enabled
- Device joined to Microsoft Entra ID (or hybrid joined)
- PowerShell 5.1 or later (PowerShell 7.6 LTS recommended) running as Administrator
The Script
powershell
<#
.SYNOPSIS
Enable BitLocker and back up the recovery key to Microsoft Entra ID.
.DESCRIPTION
Checks for TPM, enables BitLocker with XTS-AES-256 encryption,
adds a recovery password protector, and backs up to Microsoft Entra ID.
Safe to run on devices that are already encrypted — it will
only back up the existing key.
.PARAMETER MountPoint
The drive to encrypt. Defaults to C:
#>
param(
[string]$MountPoint = "C:"
)
# Require admin
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Error "This script must be run as Administrator."
exit 1
}
# Check for TPM
$tpm = Get-Tpm -ErrorAction SilentlyContinue
if (-not $tpm.TpmPresent) {
Write-Error "No TPM detected. BitLocker requires a TPM 2.0 chip."
exit 1
}
if (-not $tpm.TpmReady) {
Write-Warning "TPM is present but not ready. Attempting to initialize..."
Initialize-Tpm -ErrorAction Stop
}
# Check current BitLocker status
$volume = Get-BitLockerVolume -MountPoint $MountPoint -ErrorAction Stop
if ($volume.VolumeStatus -eq "FullyEncrypted") {
Write-Host "Drive $MountPoint is already encrypted." -ForegroundColor Green
# Ensure a recovery password protector exists
$recoveryProtector = $volume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
if (-not $recoveryProtector) {
Write-Host "Adding recovery password protector..."
$result = Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector
$recoveryProtector = $result.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
}
} elseif ($volume.VolumeStatus -eq "EncryptionInProgress") {
Write-Host "Encryption is already in progress. Waiting..."
$recoveryProtector = $volume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
} else {
Write-Host "Enabling BitLocker on $MountPoint..."
# Enable BitLocker with TPM protector
Enable-BitLocker -MountPoint $MountPoint `
-EncryptionMethod XtsAes256 `
-TpmProtector `
-SkipHardwareTest `
-ErrorAction Stop
# Add recovery password protector
$result = Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector
$recoveryProtector = $result.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
Write-Host "BitLocker enabled. Encryption is now in progress." -ForegroundColor Green
}
# Back up recovery key to Microsoft Entra ID (cmdlet retains AAD name for backward compatibility)
if ($recoveryProtector) {
try {
BackupToAAD-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $recoveryProtector.KeyProtectorId -ErrorAction Stop
Write-Host "Recovery key backed up to Microsoft Entra ID successfully." -ForegroundColor Green
Write-Host "Key ID: $($recoveryProtector.KeyProtectorId)" -ForegroundColor Cyan
} catch {
Write-Warning "Failed to back up to Microsoft Entra ID: $_"
Write-Warning "Recovery password (SAVE THIS): $($recoveryProtector.RecoveryPassword)"
}
} else {
Write-Error "No recovery password protector found. Cannot back up."
exit 1
}
# Display final status
$finalVolume = Get-BitLockerVolume -MountPoint $MountPoint
Write-Host "`n--- BitLocker Status ---" -ForegroundColor Cyan
Write-Host "Volume: $MountPoint"
Write-Host "Status: $($finalVolume.VolumeStatus)"
Write-Host "Encryption: $($finalVolume.EncryptionMethod)"
Write-Host "Protectors: $($finalVolume.KeyProtector.Count)"
Write-Host "Key ID: $($recoveryProtector.KeyProtectorId)"
Usage
Run manually on a single device
powershell
.\Enable-BitLockerAzureAD.ps1
Deploy via Intune as a PowerShell script
- Go to intune.microsoft.com > Devices > Scripts and remediations > Platform scripts
- Click Add > Windows 10 and later
- Upload the script
- Configure:
- Run this script using the logged-on credentials: No (runs as SYSTEM)
- Enforce script signature check: No (or sign the script)
- Run script in 64-bit PowerShell: Yes
- Assign to a device group
Deploy via SCCM / MECM
Create a Package or Task Sequence step that runs:
powershell.exe -ExecutionPolicy Bypass -File .\Enable-BitLockerAzureAD.ps1
How It Works
- Checks for TPM — exits if no TPM 2.0 is present
- Checks if already encrypted — if yes, only ensures a recovery protector exists
- Enables BitLocker — uses XTS-AES-256 (the strongest available encryption method)
- Adds recovery password — the 48-digit key that can unlock the drive if the TPM fails
- Backs up to Microsoft Entra ID — stores the recovery key in Microsoft Entra ID against the device object
- Reports final status — displays the encryption state and key ID
Warning
The -SkipHardwareTest flag starts encryption immediately without a reboot test. This is intentional for automated deployments. For manual single-device runs, you can remove this flag to test the TPM before encrypting.
Verifying the Backup
From the Microsoft Entra Admin Center
- Go to entra.microsoft.com > Devices > search for the device
- Click BitLocker keys
- Confirm the Key ID matches the script output
From PowerShell
powershell
# Requires Microsoft Graph module
Connect-MgGraph -Scopes "BitLockerKey.Read.All"
Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq 'DEVICE-ID'"
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| "No TPM detected" | TPM not enabled in BIOS | Enter BIOS, enable TPM / Intel PTT / AMD fTPM |
| "BitLocker could not be enabled" | Drive has no compatible partition | Run bdehdcfg -target default to prepare the drive |
| "BackupToAAD-BitLockerKeyProtector failed" | Device not Microsoft Entra ID joined | Run dsregcmd /status to check join status |
| "Access denied" | Script not running as admin | Run PowerShell as Administrator |
PowerShellBitLockerMicrosoft Entra IDEncryptionAutomation
Related Articles
GuidesHow to Deploy BitLocker Encryption Across an OrganisationA complete guide to deploying BitLocker drive encryption across your business using Intune, Group Policy, or PowerShell — including Microsoft Entra ID key backup.Read TroubleshootingBitLocker Recovery Key Not Found in Microsoft Entra ID — How to FixWhat to do when a BitLocker recovery key is not backed up to Microsoft Entra ID. Covers finding keys in alternative locations, forcing a backup, and preventing the issue.Read Coding & AutomationPowerShell: Bulk Rename Computers in Active Directory by Serial NumberAutomate the renaming of Active Directory computer objects using their hardware serial numbers with this production-ready PowerShell script.Read
Was this article helpful?