MSEndpointMgr
escrow bitlocker to azure ad

Migrate Bitlocker to Azure AD

How can you migrate Bitlocker to Azure AD without needing to re-encrypt or add new recovery keys to your managed devices? This article will illustrate one way to escrow (backup) the existing recovery key, using nothing but a Microsoft Endpoint Manager Intune PowerShell script.

The death of MBAM and AD Escrowed credentials

The Microsoft Bitlocker Administration and Monitoring tools have gone out of mainstream support. And any cloud-first forward-thinking company will likely be looking to escrow the existing and future recovery keys for BitLocker to Azure AD / Microsoft Endpoint Manager Intune. Others might just be storing them in On-Prem AD instead, but that is not what I would suggest you do, as this limits your insights substantially when MBAM is removed.

If you have a solid hybrid cloud strategy, Microsoft Endpoint Manager Configuration Manager is a great choice for Bitlocker management. And if that is your scenario, I suggest you read this series:
Goodbye MBAM – BitLocker Management in Configuration Manager

NB: MBAM features have all been ported to MEM CM. And are fully supported going forward.

Configuring Intune to enforce and escrow Bitlocker to Azure AD

This part is well documented by Microsoft on the docs page: Encrypt Windows 10 devices with BitLocker in Intune – Microsoft Intune | Microsoft Docs.

However, you should be aware that you can actually deploy your Intune managed Bitlocker policy on top of your existing GPO policy, as long as you have not configured the MDMWinsOverGP CSP. This way, you will ensure that you have all keys escrowed into Azure AD before dismantling your MBAM solution. And you will also get the benefit of having all new devices adhere to the Intune policy, as long as you remember to exclude them from the MBAM Bitlocker GPO.

The script that will help you migrate Bitlocker to Azure AD

Now, a policy alone will not migrate existing device recovery keys escrowed in MBAM or AD to Azure AD. You will need to take care of those devices with a PowerShell script. Needless to say, the devices must be enrolled into Microsoft Endpoint Manager Intune for this to work.

Please download Invoke-EscrowBitlockerToAAD.ps1 from my PowerShell bucket on GitHub before continuing. And while you are at it, reading the comments inside a PowerShell script is always good!

The exact scenario that I had to cover when building the script was:

  • MBAM with GPO deployed to all devices on-prem.
  • Devices Hybrid Azure AD Joined and enrolled.
  • Bitlocker policy deployed from Intune that matches the on-prem GPO Policy.

Your scenario might be different, but I suspect it would do well in a range of different scenarios. So, download the script and follow the next few parts on how to get it working with Intune.

Script deployment via Intune

From the Microsoft Intune admin center, complete the steps that are numbered on the pictures and bullet points underneath each screenshot.

Deploy the script to migrate Bitlocker to Azure AD via MEM
  1. Click the “Devices” button.
  2. Then the “Windows” platform button.
  3. Click the “PowerShell scripts” button.
  4. And finally, click the “Add” button.

Script Basics

Describing the PowerShell script in Intune
  1. Type a fitting “Name” to be shown in the script overview.
  2. Type a fitting “Description” that clearly indicates the scripts purpose.

Script settings

bitlocker to azure ad script settings
PowerShell script settings in Intune
  1. Click the “Blue folder icon” to select the escrow Bitlocker script file to be deployed (it will get uploaded to Intune).

You should already have downloaded the script as mentioned earlier. And please pay attention to leave the script settings at their defaults.

Script Assignments

PowerShell script target assignments
Selecting PowerShell script assignments in Intune
  1. Click the “Select groups to include” link to open the selection fan-out view.
  2. Search” for the Security Group that includes the devices you wish to target. You could also target users, which would make the escrow BitLocker script run on each Intune managed device the user signs in to.
  3. Select “<your security group>” in the results to have the group shown in the “Selected Items” area.
  4. Then click the “Select” button to close the fan-out view.
  5. Click the “Next” button to continue.

Script deployment Review + add

You are almost done! (No way? Yeah, way!). Finally, you must make sure that all the Basics, Script settings, and Assignments are correct. If anything is missing, you might not get Bitlocker to Azure AD escrowing to happen.

  1. Click on the “Add” button to complete the Intune PowerShell script deployment profile.

You have now completed all the steps!

Conclusion

Migrating Bitlocker to Azure AD, using Intune to escrow the existing Keyprotectors with a PowerShell script is possible. And I am very keen on hearing what other ways the community has come up with! So please don’t hesitate to leave a comment or reach out via Twitter.

(43311)

Michael Mardahl

Michael Mardahl is a seasoned IT pro with over 25 years of experience under his belt. He's a Microsoft Certified Cloud Architect at APENTO in Denmark, where he helps customers move from traditional infrastructure to the cloud while keeping security top of mind. When he's not working, Michael's either spending time with his family and friends or passionately blogging about Microsoft cloud technology. His expertise in this area has even earned him the prestigious title of Microsoft Most Valuable Professional (MVP) in both the Enterprise Mobility and Security categories. In short, Michael is the IT equivalent of a rockstar, but don't expect him to act like one - he's way too down-to-earth for that.

44 comments

  • Hi Michael,
    To escrow the bit-locker key from MBAM to AAD, do it require the Intune managed Bitlocker policy as well as script or only script will work?

    If we use both does it decrypt and encrypt the drive of existing device again?

    Regards,
    Vipin K

    • Hi Vipin,

      The script alone will make sure to escrow the key into Azure AD. Intune policy is not needed.
      So you can migrate from MBAM to Intune at your own pace.

      If you enable the exact same settings for BitLocker in Intune, that you had in MBAM no changes will happen to the drive (in my experience).
      If you do a different setting, then it is most likely going to fail with a remediation error.

      I would just migrate to whatever setting you have now for existing devices, and make a new and possibly better policy for the next time you enroll a device into bitlocker.
      It all depends on so many factors! 🙂

  • Hi Michael,
    short question: if I run that script as “Proactive Remedation” once a week or so, what happens with the escrowed key? Do I get the same key as many times as the script runs? I think yes, right?

    • I think you would be askin’ for problems. it should in that case be able to know if it has already escrowed the key and then NOT do anything. there is a limit to the amount of keys you can escrow – and you don’t want to hit that limit of 200 keys.

  • Michael,

    Just wanted to say thank you for the post.

    I have successfully completed the task following your steps and the scrip is showing as completed successfully on my test device. But the Bitlocker key is not showing in AAD under the registered device.

    – The device is AD joined and the Bitlocker key has been generated by GPO which works ok.
    – The key is visible in AAD
    – Any ideas as to why its showing as successful but the key is not present in AAD?

    Regards
    Brent

  • Michael,
    thanks a lot for the script !
    It helped me moving from MBAM to Intune
    I slightly modified it to work on encrypted drives only and catch system and fixed disks.

    #region execute
    $Drives = Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq ‘FullyEncrypted’ }
    If ($Drives.Count -gt 0) {
    foreach ($DriveLetter in $Drives.MountPoint) {
    $KeyProtectorId = Get-KeyProtectorId -BitlockerDrive $DriveLetter
    Invoke-BitlockerEscrow -BitlockerDrive $DriveLetter -BitlockerKey $KeyProtectorId
    }
    } Else {
    Write-Output “Bitlocker was not found on any drives. Terminating script!”
    exit 1
    }
    #endregion execute

    • Hi Olaf,

      I added your improvement to the script, but when I run it, I still only get the key for the system drive escrowed. If I output $drives and $drives.mountpoint I can see that it has registered that there is also a D: drive (and it is fully encrypted). Any idea why this might be? There’s not errors and the C: drive key is escrowed successfully.

  • The script to backup the Bitlocker key to Azure works perfectly.

    But when I assign the Bitlocker policy from Intune I get error messages regarding Backup of the key to ADDS.

    Microsoft-Windows-BitLocker-API/Management
    “Event ID 851: Error: Group Policy prevents you from backing up your recovery password to Active Directory for this Drive”

    Have any one experienced the same?
    The client is Hybrid joined with Co-Manage and CMG enabled.
    All MBAM and Bitlocker settings is removed.

    Is it possible to bypass the ADDS backup and only rely on AAD when the client is hybrid?

    And just to be clear, have you got the key rotation from Intune/AAD to work after the migration?

    • Hi Krille,

      Unfortunately I am unable to investigate your queries, but I hope someone else that reads your comment might jump in with some answers.

    • Hi Arthur,

      Please take a look at the PowerShell code – it clearly defines the system drive and no more.
      You would need to modify the script I have made available, or create a duplicate of it and force it to use another drive letter, then you can have two separate scripts running if you don’t like to work with PowerShell.

  • Hi Michael,

    Thanks for sharing this .

    In my case it is failing for all the users. how i can deploy the powershell script with admin privilege’s via Intune? is it possible?

    Regards
    Jag

    • Hi Jag,

      You must follow the guide I have written. It is not meant to be run in the users context – if you set the PowerShell options as I have marked in the screenshots, then it will run with the highest privileges.

  • Hi there, thanks for writing this up, I had to add a [0] for the recovery key as some of our devices have more than one (for whatever reason), in case others have this issue.

    A question, what’s the recommended method for encrypting a freshly imaged SCCM device (imaged via a task sequence)? We’ve noticed some devices get the Intune policy quickly and others show they have it but don’t encrypt for quite some time. Any tips on speeding this up?

    • Thank you for that Justin.

      I don’t work with on-prem deployments as much as the rest of our writers, so you would have to ask on another thread or twitter.

      • I have exactly the same issue as my risk management insists on encryption during OS deployment and not “later” while the user is already on the road.

        My current plan B is to encrypt with Bitlocker TS steps and save key to AD as interim backup.
        After workload has shifted completely the escrow script pops in via Intune and transfers key to AAD.

        Not very modern, maybe at some point Intune is able to do it “now” even having an on-prem OS deployment

  • If bitlocker have been activated and then deactivated the function Test-Bitlocker does not throw an exception. In those cases $keyprotectorid.count -gt 0 – will only be true when the drive is actually encrypted.

    • Thanks for that – hope other readers can find that information useful also 🙂

  • hi,
    Will this work with VMware UEM i.e. Bitlocker deployed via VMware UEM and now need to migrate to Intune

    • If BitLocker keys are there, then I am pretty sure it would. but I have never used VMWare UEM, so you would need to test on a very small amount of devices.

  • hi michael, when i deploy the script on about 25% of devices it fails and the output is 3. any idea what error that is?

    i am checking the error in the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies
    where the result = failed and resultdetails = 3

  • hi michael – i deployed the script and it is working well for about 75% of devices. on the devices that fail, the result key in the registry is set to failed and the resultdetails key is set to 3. this is in the intunemanagementextension part of the registry where scripts deployed via intune live. are you familiar with the result of 3 and what error that may be indicating?

  • Still not clear how it should work for the key rotation mechanism. Now we have MBAM with GPO in place an key rotation is being controlled by MBAM.
    So we uploaded recovery keys to Azure AD and applied new Bitlocker policy from MDM.
    But what is going on with the key rotation mechanism in this case?
    MBAM stops rotation when Intune policies take precedence, right?
    And it means that when someone obtains the key, the new one should be generated in Azure?
    Seems the topic creates a lot of questions about how to correctly retire MBAM after that.

  • are we able to do the second part (running script to escrow key to aad) without doing the first part of applying the new profile? we would then go back and apply the intune policy at a later date. or for the script to work does a intune based bitlocker profile NEED to be applied?
    thanks,

    • Hi Mason,

      You can most definitely just Escrow the keys to AAD before using any form or Intune CSP for Bitlocker.

  • We have Hybrid environment, so if we want to push the script from Intune to Windows machine, it should have IntuneManagementExtension app installed on the machines right ? but none of our machines have this, is there any way we can push it silently ?

    • Hi Ramees,

      Don’t worry about the Intune Management Extention, just add the script from within Intune Powershell scripts.
      Intune will take care of installing the Intune Management Extension agent onto your machine – there is no supported way for you to install this in advance, and there is also no need.

  • Have 1 small question – Your situation is the same as mine. For testing purposes – On my MBAM GPO should I just go in to the Advance Permissions on the GPO and Place a Deny on Apply GPO to the Group that I am using to migrate to InTune? This way it stops them from getting the GPO?

    • That would be a way yes, just note that not all Bitlocker settings from MBAM might revert properly (this has been my experience in some cases).
      So if you are having big issues, try testing on a fresh machine that has never had the MBAM policy applied. Then you can start figuring out what policies you need to undo manually or with another GPO.

  • I just wanted to drop a line and thank you for this, its working perfectly to get out keys into Azure!

      • Hi Michael,

        Post implementation, do we required to disable the Onprem AD GPO for Bitlocker and Enable the Drive Encryption from Intune?

        Thanks

      • If the point is to move to the cloud, then, Ideally yes. But I can’t speak to each orgs individual projects.

Sponsors