escrow bitlocker to azure ad
Home ยป Microsoft Endpoint Manager ยป Intune ยป Migrate Bitlocker to Azure AD

Migrate Bitlocker to Azure AD

How can you migrate Bitlocker to Azure AD without needing to re-encrypt or add new recovery keys to your managed devices? This article will illustrate one way to escrow (backup) the existing recovery key, using nothing but a Microsoft Endpoint Manager Intune PowerShell script.

The death of MBAM and AD Escrowed credentials

The Microsoft Bitlocker Administration and Monitoring tools have gone out of mainstream support. And any cloud-first forward-thinking company will likely be looking to escrow the existing and future recovery keys for BitLocker to Azure AD / Microsoft Endpoint Manager Intune. Others might just be storing them in On-Prem AD instead, but that is not what I would suggest you do, as this limits your insights substantially when MBAM is removed.

If you have a solid hybrid cloud strategy, Microsoft Endpoint Manager Configuration Manager is a great choice for Bitlocker management. And if that is your scenario, I suggest you read this series:
Goodbye MBAM โ€“ BitLocker Management in Configuration Manager

NB: MBAM features have all been ported to MEM CM. And are fully supported going forward.

Configuring Intune to enforce and escrow Bitlocker to Azure AD

This part is well documented by Microsoft on the docs page: Encrypt Windows 10 devices with BitLocker in Intune – Microsoft Intune | Microsoft Docs.

However, you should be aware that you can actually deploy your Intune managed Bitlocker policy on top of your existing GPO policy, as long as you have not configured the MDMWinsOverGP CSP. This way, you will ensure that you have all keys escrowed into Azure AD before dismantling your MBAM solution. And you will also get the benefit of having all new devices adhere to the Intune policy, as long as you remember to exclude them from the MBAM Bitlocker GPO.

The script that will help you migrate Bitlocker to Azure AD

Now, a policy alone will not migrate existing device recovery keys escrowed in MBAM or AD to Azure AD. You will need to take care of those devices with a PowerShell script. Needless to say, the devices must be enrolled into Microsoft Endpoint Manager Intune for this to work.

Please download Invoke-EscrowBitlockerToAAD.ps1 from my PowerShell bucket on GitHub before continuing. And while you are at it, reading the comments inside a PowerShell script is always good!

The exact scenario that I had to cover when building the script was:

  • MBAM with GPO deployed to all devices on-prem.
  • Devices Hybrid Azure AD Joined and enrolled.
  • Bitlocker policy deployed from Intune that matches the on-prem GPO Policy.

Your scenario might be different, but I suspect it would do well in a range of different scenarios. So, download the script and follow the next few parts on how to get it working with Intune.

Script deployment via Intune

From the Microsoft Endpoint Manager admin center, complete the steps that are numbered on the pictures and bullet points underneath each screenshot.

Deploy the script to migrate Bitlocker to Azure AD via MEM
  1. Click the “Devices” button.
  2. Then the “Windows” platform button.
  3. Click the “PowerShell scripts” button.
  4. And finally, click the “Add” button.

Script Basics

Describing the PowerShell script in Intune
  1. Type a fitting “Name” to be shown in the script overview.
  2. Type a fitting “Description” that clearly indicates the scripts purpose.

Script settings

bitlocker to azure ad script settings
PowerShell script settings in Intune
  1. Click the “Blue folder icon” to select the escrow Bitlocker script file to be deployed (it will get uploaded to Intune).

You should already have downloaded the script as mentioned earlier. And please pay attention to leave the script settings at their defaults.

Script Assignments

PowerShell script target assignments
Selecting PowerShell script assignments in Intune
  1. Click the “Select groups to include” link to open the selection fan-out view.
  2. Search” for the Security Group that includes the devices you wish to target. You could also target users, which would make the escrow BitLocker script run on each Intune managed device the user signs in to.
  3. Select “<your security group>” in the results to have the group shown in the “Selected Items” area.
  4. Then click the “Select” button to close the fan-out view.
  5. Click the “Next” button to continue.

Script deployment Review + add

You are almost done! (No way? Yeah, way!). Finally, you must make sure that all the Basics, Script settings, and Assignments are correct. If anything is missing, you might not get Bitlocker to Azure AD escrowing to happen.

  1. Click on the “Add” button to complete the Intune PowerShell script deployment profile.

You have now completed all the steps!


Migrating Bitlocker to Azure AD, using Intune to escrow the existing Keyprotectors with a PowerShell script is possible. And I am very keen on hearing what other ways the community has come up with! So please don’t hesitate to leave a comment or reach out via Twitter.


Michael Mardahl

Michael works as a Microsoft Certified Cloud Architect with APENTO in Denmark. He specializes in customer journeys from classic Infrastructure to Cloud consumption with a strong focus on security. And has been working in the IT industry for more than 20 years, where he started as a Network Administrator in the logistics industry. He has gained experience through a broad range of IT projects throughout the years and was very early to embrace and share his cloud technology passion. When not at work, Michael enjoys the value of spending time with family and friends and BLOG's passionately about Microsoft cloud technology whenever he has time to spare - this has earned him the title of Microsoft Most Valuable Professional (MVP) in the Enterprise Mobility category.




Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories use cookies to ensure that we give you the best experience on our website.