question

JasonO-1582 avatar image
0 Votes"
JasonO-1582 asked Jason-MSFT commented

Automate Bitlocker Key rotation for multiple devices

We have an environment that has used Bitlocker to secure systems and has keys stored in on prem locations (MEMCM or MBAM etc.). We want to move all management of keys to Intune. We have followed the steps to get a key to Intune via co-manage and workloads along with a CSP (per MS documentation) and have had success of keys being update into Intune. However, the final step of the MS documentation says to use Key rotation in Intune. This works, but how would we automate this for thousands of devices in mass rather than 1 by 1 in the GUI of Endpoint Management?

Thanks!

mem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered Jason-MSFT commented

Note that you do not have to rotate the key to have it saved to AAD. You can push out a simple PowerShell script to do this. You can find many examples of a script that does this but they all end up calling a single PowerShell cmdlet: https://docs.microsoft.com/en-us/powershell/module/bitlocker/backuptoaad-bitlockerkeyprotector?view=windowsserver2022-ps

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Does this also apply if we want have Intune take over all management of Bitlocker and retire all on-prem management?

0 Votes 0 ·

Not totally following the question here. When you "move" management of BitLocker that involves two things:

  1. Where the policies are coming from.

  2. Where the recovery passwords are stored.

It sounds like you've set up the policies in Intune and now you just need to have the passwords saved to AAD. This doesn't happen automatically unless the password is set or reset (this is just how Windows was designed). Thus, you can "force" the clients to save their recovery passwords to AAD in one of two ways:

  1. Use a script to tell the client to do so

  2. Use Intune to force a key rotation.

Both methods have some small pros and cons, but I generally recommend using the script as there's generally no reason to rotate a key unless it has been exposed.




1 Vote 1 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered JasonO-1582 commented

@OakesJason-8062, Based on my research, we can enable key rotation via Endpoint protection profile, Then add an additional PIN to test it. Here is a link with the detailed steps for the reference:
https://msendpointmgr.com/2019/11/20/enable-bitlocker-key-rotation-for-intune-managed-devices/
Note: Non-Microsoft link, just for the reference.

Hope it can help.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Crystal-MSFT We have pretty much done this, just need to rotate the key in mass for all systems. We want Intune to take over all Bitlocker management. This is what prompted the question. We were wondering if there was a way to rotate the key for all of the targeted systems and leave the authority for management with Intune.

0 Votes 0 ·