All Entra ID joined Windows devices with BitLocker should have automatic key escrow enabled, with periodic verification and access auditing. Appendix: Useful PowerShell Commands
# Force upload of recovery key to Entra ID Reset-BitLockerAutoUnlock -MountPoint "C:" manage-bde -protectors -add C: -recoverypassword Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/devices/device-id/bitLockerRecoveryKeys" Report last updated: 2026-04-13 bitlocker recovery key azure ad