escrow bitlocker to azure ad
Home ยป Microsoft Endpoint Manager ยป Intune ยป Migrate Bitlocker to Azure AD

Migrate Bitlocker to Azure AD

How can you migrate Bitlocker to Azure AD without needing to re-encrypt or add new recovery keys to your managed devices? This article will illustrate one way to escrow (backup) the existing recovery key, using nothing but a Microsoft Endpoint Manager Intune PowerShell script.

The death of MBAM and AD Escrowed credentials

The Microsoft Bitlocker Administration and Monitoring tools have gone out of mainstream support. And any cloud-first forward-thinking company will likely be looking to escrow the existing and future recovery keys for BitLocker to Azure AD / Microsoft Endpoint Manager Intune. Others might just be storing them in On-Prem AD instead, but that is not what I would suggest you do, as this limits your insights substantially when MBAM is removed.

If you have a solid hybrid cloud strategy, Microsoft Endpoint Manager Configuration Manager is a great choice for Bitlocker management. And if that is your scenario, I suggest you read this series:
Goodbye MBAM โ€“ BitLocker Management in Configuration Manager

NB: MBAM features have all been ported to MEM CM. And are fully supported going forward.

Configuring Intune to enforce and escrow Bitlocker to Azure AD

This part is well documented by Microsoft on the docs page: Encrypt Windows 10 devices with BitLocker in Intune – Microsoft Intune | Microsoft Docs.

However, you should be aware that you can actually deploy your Intune managed Bitlocker policy on top of your existing GPO policy, as long as you have not configured the MDMWinsOverGP CSP. This way, you will ensure that you have all keys escrowed into Azure AD before dismantling your MBAM solution. And you will also get the benefit of having all new devices adhere to the Intune policy, as long as you remember to exclude them from the MBAM Bitlocker GPO.

The script that will help you migrate Bitlocker to Azure AD

Now, a policy alone will not migrate existing device recovery keys escrowed in MBAM or AD to Azure AD. You will need to take care of those devices with a PowerShell script. Needless to say, the devices must be enrolled into Microsoft Endpoint Manager Intune for this to work.

Please download Invoke-EscrowBitlockerToAAD.ps1 from my PowerShell bucket on GitHub before continuing. And while you are at it, reading the comments inside a PowerShell script is always good!

The exact scenario that I had to cover when building the script was:

  • MBAM with GPO deployed to all devices on-prem.
  • Devices Hybrid Azure AD Joined and enrolled.
  • Bitlocker policy deployed from Intune that matches the on-prem GPO Policy.

Your scenario might be different, but I suspect it would do well in a range of different scenarios. So, download the script and follow the next few parts on how to get it working with Intune.

Script deployment via Intune

From the Microsoft Endpoint Manager admin center, complete the steps that are numbered on the pictures and bullet points underneath each screenshot.

Deploy the script to migrate Bitlocker to Azure AD via MEM
  1. Click the “Devices” button.
  2. Then the “Windows” platform button.
  3. Click the “PowerShell scripts” button.
  4. And finally, click the “Add” button.

Script Basics

Describing the PowerShell script in Intune
  1. Type a fitting “Name” to be shown in the script overview.
  2. Type a fitting “Description” that clearly indicates the scripts purpose.

Script settings

bitlocker to azure ad script settings
PowerShell script settings in Intune
  1. Click the “Blue folder icon” to select the escrow Bitlocker script file to be deployed (it will get uploaded to Intune).

You should already have downloaded the script as mentioned earlier. And please pay attention to leave the script settings at their defaults.

Script Assignments

PowerShell script target assignments
Selecting PowerShell script assignments in Intune
  1. Click the “Select groups to include” link to open the selection fan-out view.
  2. Search” for the Security Group that includes the devices you wish to target. You could also target users, which would make the escrow BitLocker script run on each Intune managed device the user signs in to.
  3. Select “<your security group>” in the results to have the group shown in the “Selected Items” area.
  4. Then click the “Select” button to close the fan-out view.
  5. Click the “Next” button to continue.

Script deployment Review + add

You are almost done! (No way? Yeah, way!). Finally, you must make sure that all the Basics, Script settings, and Assignments are correct. If anything is missing, you might not get Bitlocker to Azure AD escrowing to happen.

  1. Click on the “Add” button to complete the Intune PowerShell script deployment profile.

You have now completed all the steps!


Migrating Bitlocker to Azure AD, using Intune to escrow the existing Keyprotectors with a PowerShell script is possible. And I am very keen on hearing what other ways the community has come up with! So please don’t hesitate to leave a comment or reach out via Twitter.


Michael Mardahl

Michael works as a Microsoft Certified Cloud Architect with APENTO in Denmark. He specializes in customer journeys from classic Infrastructure to Cloud consumption with a strong focus on security. And has been working in the IT industry for more than 20 years, where he started as a Network Administrator in the logistics industry. He has gained experience through a broad range of IT projects throughout the years and was very early to embrace and share his cloud technology passion. When not at work, Michael enjoys the value of spending time with family and friends and BLOG's passionately about Microsoft cloud technology whenever he has time to spare - this has earned him the title of Microsoft Most Valuable Professional (MVP) in the Enterprise Mobility category.


    • Hi Arthur,

      Please take a look at the PowerShell code – it clearly defines the system drive and no more.
      You would need to modify the script I have made available, or create a duplicate of it and force it to use another drive letter, then you can have two separate scripts running if you don’t like to work with PowerShell.

  • Hi Michael,

    Thanks for sharing this .

    In my case it is failing for all the users. how i can deploy the powershell script with admin privilege’s via Intune? is it possible?


    • Hi Jag,

      You must follow the guide I have written. It is not meant to be run in the users context – if you set the PowerShell options as I have marked in the screenshots, then it will run with the highest privileges.

  • Hi there, thanks for writing this up, I had to add a [0] for the recovery key as some of our devices have more than one (for whatever reason), in case others have this issue.

    A question, what’s the recommended method for encrypting a freshly imaged SCCM device (imaged via a task sequence)? We’ve noticed some devices get the Intune policy quickly and others show they have it but don’t encrypt for quite some time. Any tips on speeding this up?

    • Thank you for that Justin.

      I don’t work with on-prem deployments as much as the rest of our writers, so you would have to ask on another thread or twitter.

  • If bitlocker have been activated and then deactivated the function Test-Bitlocker does not throw an exception. In those cases $keyprotectorid.count -gt 0 – will only be true when the drive is actually encrypted.

    • Thanks for that – hope other readers can find that information useful also ๐Ÿ™‚

  • hi,
    Will this work with VMware UEM i.e. Bitlocker deployed via VMware UEM and now need to migrate to Intune

    • If BitLocker keys are there, then I am pretty sure it would. but I have never used VMWare UEM, so you would need to test on a very small amount of devices.

  • hi michael, when i deploy the script on about 25% of devices it fails and the output is 3. any idea what error that is?

    i am checking the error in the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies
    where the result = failed and resultdetails = 3

  • hi michael – i deployed the script and it is working well for about 75% of devices. on the devices that fail, the result key in the registry is set to failed and the resultdetails key is set to 3. this is in the intunemanagementextension part of the registry where scripts deployed via intune live. are you familiar with the result of 3 and what error that may be indicating?

  • Still not clear how it should work for the key rotation mechanism. Now we have MBAM with GPO in place an key rotation is being controlled by MBAM.
    So we uploaded recovery keys to Azure AD and applied new Bitlocker policy from MDM.
    But what is going on with the key rotation mechanism in this case?
    MBAM stops rotation when Intune policies take precedence, right?
    And it means that when someone obtains the key, the new one should be generated in Azure?
    Seems the topic creates a lot of questions about how to correctly retire MBAM after that.

  • are we able to do the second part (running script to escrow key to aad) without doing the first part of applying the new profile? we would then go back and apply the intune policy at a later date. or for the script to work does a intune based bitlocker profile NEED to be applied?

    • Hi Mason,

      You can most definitely just Escrow the keys to AAD before using any form or Intune CSP for Bitlocker.

  • We have Hybrid environment, so if we want to push the script from Intune to Windows machine, it should have IntuneManagementExtension app installed on the machines right ? but none of our machines have this, is there any way we can push it silently ?

    • Hi Ramees,

      Don’t worry about the Intune Management Extention, just add the script from within Intune Powershell scripts.
      Intune will take care of installing the Intune Management Extension agent onto your machine – there is no supported way for you to install this in advance, and there is also no need.

  • Have 1 small question – Your situation is the same as mine. For testing purposes – On my MBAM GPO should I just go in to the Advance Permissions on the GPO and Place a Deny on Apply GPO to the Group that I am using to migrate to InTune? This way it stops them from getting the GPO?

    • That would be a way yes, just note that not all Bitlocker settings from MBAM might revert properly (this has been my experience in some cases).
      So if you are having big issues, try testing on a fresh machine that has never had the MBAM policy applied. Then you can start figuring out what policies you need to undo manually or with another GPO.

  • I just wanted to drop a line and thank you for this, its working perfectly to get out keys into Azure!



Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories use cookies to ensure that we give you the best experience on our website.