This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 44%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJO%3C/text%3E%3C/svg%3E)
We have an environment that has used Bitlocker to secure systems and has keys stored in on prem locations (MEMCM or MBAM etc.). We want to move all management of keys to Intune. We have followed the steps to get a key to Intune via co-manage and workloads along with a CSP (per MS documentation) and have had success of keys being update into Intune. However, the final step of the MS documentation says to use Key rotation in Intune. This works, but how would we automate this for thousands of devices in mass rather than 1 by 1 in the GUI of Endpoint Management?
Thanks!
Note that you do not have to rotate the key to have it saved to AAD. You can push out a simple PowerShell script to do this. You can find many examples of a script that does this but they all end up calling a single PowerShell cmdlet: https://learn.microsoft.com/en-us/powershell/module/bitlocker/backuptoaad-bitlockerkeyprotector?view=windowsserver2022-ps
Does this also apply if we want have Intune take over all management of Bitlocker and retire all on-prem management?
Not totally following the question here. When you "move" management of BitLocker that involves two things:
It sounds like you've set up the policies in Intune and now you just need to have the passwords saved to AAD. This doesn't happen automatically unless the password is set or reset (this is just how Windows was designed). Thus, you can "force" the clients to save their recovery passwords to AAD in one of two ways:
Both methods have some small pros and cons, but I generally recommend using the script as there's generally no reason to rotate a key unless it has been exposed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@OakesJason-8062, Based on my research, we can enable key rotation via Endpoint protection profile, Then add an additional PIN to test it. Here is a link with the detailed steps for the reference:
https://msendpointmgr.com/2019/11/20/enable-bitlocker-key-rotation-for-intune-managed-devices/
Note: Non-Microsoft link, just for the reference.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Crystal-MSFT We have pretty much done this, just need to rotate the key in mass for all systems. We want Intune to take over all Bitlocker management. This is what prompted the question. We were wondering if there was a way to rotate the key for all of the targeted systems and leave the authority for management with Intune.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 90%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
I would like to share my experience on this topic. We are running comanaged environment and had around 700 computers that did not escrow recovery key to Azure. I even analysed logs of 'Biltocker-API\Management' and found the fact that since a computer successfully backed up the key to on-prem AD, it never tried to repeat the task to Azure. Here is the command to check if the key is stored in on-prem AD:
Get-ADOObject -Server $DC_FQDN -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computer_DN -Properties 'msFVE-RecoveryPassword'
To address this issue (force recovery key backup to Azure), running the small PS code provided in this thread above is the solution. You can either run the code locally or set it up in the Scripts and Remedies section of Intune. The only thing I would point out is that it is better to add an 'if' clause to the code because the container with the recovery password can be located in different datasets. Here is an code example:
$BLV = Get-BitLockerVolume -MountPoint "C:"
if ($BLV.KeyProtector[0].KeyProtectorType -eq "RecoveryPassword") {
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
}
else {
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}