How can you migrate Bitlocker to Azure AD without needing to re-encrypt or add new recovery keys to your managed devices? This article will illustrate one way to escrow (backup) the existing recovery key, using nothing but a Microsoft Endpoint Manager Intune PowerShell script.
The death of MBAM and AD Escrowed credentials
The Microsoft Bitlocker Administration and Monitoring tools have gone out of mainstream support. And any cloud-first forward-thinking company will likely be looking to escrow the existing and future recovery keys for BitLocker to Azure AD / Microsoft Endpoint Manager Intune. Others might just be storing them in On-Prem AD instead, but that is not what I would suggest you do, as this limits your insights substantially when MBAM is removed.
If you have a solid hybrid cloud strategy, Microsoft Endpoint Manager Configuration Manager is a great choice for Bitlocker management. And if that is your scenario, I suggest you read this series:
Goodbye MBAM – BitLocker Management in Configuration Manager
NB: MBAM features have all been ported to MEM CM. And are fully supported going forward.
Configuring Intune to enforce and escrow Bitlocker to Azure AD
This part is well documented by Microsoft on the docs page: Encrypt Windows 10 devices with BitLocker in Intune – Microsoft Intune | Microsoft Docs.
However, you should be aware that you can actually deploy your Intune managed Bitlocker policy on top of your existing GPO policy, as long as you have not configured the MDMWinsOverGP CSP. This way, you will ensure that you have all keys escrowed into Azure AD before dismantling your MBAM solution. And you will also get the benefit of having all new devices adhere to the Intune policy, as long as you remember to exclude them from the MBAM Bitlocker GPO.
The script that will help you migrate Bitlocker to Azure AD
Now, a policy alone will not migrate existing device recovery keys escrowed in MBAM or AD to Azure AD. You will need to take care of those devices with a PowerShell script. Needless to say, the devices must be enrolled into Microsoft Endpoint Manager Intune for this to work.
Please download Invoke-EscrowBitlockerToAAD.ps1 from my PowerShell bucket on GitHub before continuing. And while you are at it, reading the comments inside a PowerShell script is always good!
The exact scenario that I had to cover when building the script was:
- MBAM with GPO deployed to all devices on-prem.
- Devices Hybrid Azure AD Joined and enrolled.
- Bitlocker policy deployed from Intune that matches the on-prem GPO Policy.
Your scenario might be different, but I suspect it would do well in a range of different scenarios. So, download the script and follow the next few parts on how to get it working with Intune.
Script deployment via Intune
From the Microsoft Intune admin center, complete the steps that are numbered on the pictures and bullet points underneath each screenshot.
- Click the “Devices” button.
- Then the “Windows” platform button.
- Click the “PowerShell scripts” button.
- And finally, click the “Add” button.
- Type a fitting “Name” to be shown in the script overview.
- Type a fitting “Description” that clearly indicates the scripts purpose.
- Click the “Blue folder icon” to select the escrow Bitlocker script file to be deployed (it will get uploaded to Intune).
You should already have downloaded the script as mentioned earlier. And please pay attention to leave the script settings at their defaults.
- Click the “Select groups to include” link to open the selection fan-out view.
- “Search” for the Security Group that includes the devices you wish to target. You could also target users, which would make the escrow BitLocker script run on each Intune managed device the user signs in to.
- Select “<your security group>” in the results to have the group shown in the “Selected Items” area.
- Then click the “Select” button to close the fan-out view.
- Click the “Next” button to continue.
Script deployment Review + add
You are almost done! (No way? Yeah, way!). Finally, you must make sure that all the Basics, Script settings, and Assignments are correct. If anything is missing, you might not get Bitlocker to Azure AD escrowing to happen.
- Click on the “Add” button to complete the Intune PowerShell script deployment profile.
You have now completed all the steps!
Migrating Bitlocker to Azure AD, using Intune to escrow the existing Keyprotectors with a PowerShell script is possible. And I am very keen on hearing what other ways the community has come up with! So please don’t hesitate to leave a comment or reach out via Twitter.