Update encrypt-devices.md

jasonsandys-microsoft · web-flow · commit 599f1d712733 · 2022-01-21T14:10:43.000-06:00
Added note about key protector removal when deleting an AAD object.
diff --git a/memdocs/intune/protect/encrypt-devices.md b/memdocs/intune/protect/encrypt-devices.md
@@ -177,6 +177,9 @@ IT admins need to have a specific permission within Azure Active Directory to be
 
 All BitLocker recovery key accesses are audited. For more information on Audit Log entries, see [Azure portal audit logs](/azure/active-directory/devices/device-management-azure-portal#audit-logs).
 
+> [!NOTE]
+> If you delete the Azure AD object for an Azure AD joined device protected by BitLocker, the next time that device syncs with Azure AD it will remove the key protectors for the operating system volume. Removing the key protector leaves BitLocker in a suspended state on that volume. This is necessary because BitLocker recovery information for Azure AD joined devices is attached to the Azure AD computer object and deleting it may leave you unable to recover from a BitLocker recovery event.
+
 ### View recovery keys for tenant-attached devices
 
 When you’ve configured the tenant attach scenario, Microsoft Endpoint Manager can display recovery key data for tenant attached devices.
