Moving to hybrid join intune and have bitlocker enabled through gpo on prem can intune mange those keys.

Question

We have on prem ad with bitlocker enabled on devices through gpo. We are enrolling devices in intune and want to manage devices and preexisting bitlocker keys via Intune. Does gpo have to be turned off and endpoint security policy for encryption enabled. Will devices need to be decrypted first? Can we rotate keys on existing bitlocker devices?

Answer 1

@Michael Steszewski, Thanks for posting in Q&A. Besides what Rahul said, you can also migrate existing device recovery keys escrowed in AD to Microsoft Entra using the script in the following link:

https://www.rockenroll.tech/2021/04/05/move-bitlocker-management-to-microsoft-endpoint-manager-part-2/

https://msendpointmgr.com/2021/01/12/migrate-bitlocker-to-azure-ad/

Note: Non-Microsoft link, just for the reference.

Hope the above information can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

After the devices have been enrolled in Intune, you can start managing the BitLocker policies using Intune and turn off the GPO. As long as the encryption methods match, there will be no issues from a compliance perspective. Already encrypted drives will not be affected in any way and the recovery keys will automatically escrow in Entra ID.