How can you migrate Bitlocker to Azure AD without needing to re-encrypt or add new recovery keys to your managed devices? This article will illustrate one way to escrow (backup) the existing recovery key, using nothing but a MICROSOFT ENDPOINT MANAGER INTUNE POWERSHELL SCRIPT.
>> The death of MBAM and AD Escrowed credentials
The Microsoft Bitlocker Administration and Monitoring tools have gone out of mainstream support. And any cloud-first forward-thinking company will likely be looking to escrow the existing and future recovery keys for BitLocker to Azure AD / Microsoft Endpoint Manager Intune.
If you have a solid hybrid cloud strategy, Microsoft Endpoint Manager Configuration Manager is a great choice for Bitlocker management. And if that is your scenario, I suggest you read this series: Goodbye MBAM -- BitLocker Management in Configuration Manager.
NB: MBAM features have all been ported to MEM CM. And are fully supported going forward.
>> Configuring Intune to enforce and escrow Bitlocker to Azure AD
This part is well documented by Microsoft on the docs page: Encrypt Windows 10 devices with BitLocker in Intune.
However, you should be aware that you can actually deploy your Intune managed Bitlocker policy on top of your existing GPO policy, as long as you have not configured the MDMWinsOverGP CSP. This way, you will ensure that you have all keys escrowed into Azure AD before dismantling your MBAM solution.
>> The script that will help you migrate Bitlocker to Azure AD
Now, a policy alone will not migrate existing device recovery keys escrowed in MBAM or AD to Azure AD. You will need to take care of those devices with a PowerShell script. Needless to say, the devices must be enrolled into Microsoft Endpoint Manager Intune for this to work.
Please download Invoke-EscrowBitlockerToAAD.ps1 from my PowerShell bucket on GitHub before continuing.
The exact scenario that I had to cover when building the script was:
* MBAM with GPO deployed to all devices on-prem.
* Devices Hybrid Azure AD Joined and enrolled.
* Bitlocker policy deployed from Intune that matches the on-prem GPO Policy.
>> Script deployment via Intune
From the Microsoft Intune admin center, complete the following steps:
1. Click the "DEVICES" button.
2. Then the "WINDOWS" platform button.
3. Click the "POWERSHELL SCRIPTS" button.
4. And finally, click the "ADD" button.
>> Script Basics
1. Type a fitting "NAME" to be shown in the script overview.
2. Type a fitting "DESCRIPTION" that clearly indicates the script's purpose.
>> Script settings
1. Click the "BLUE FOLDER ICON" to select the escrow Bitlocker script file to be deployed.
Please pay attention to leave the SCRIPT SETTINGS AT THEIR DEFAULTS.
>> Script Assignments
1. Click the "SELECT GROUPS TO INCLUDE" link.
2. "SEARCH" for the SECURITY GROUP that includes the DEVICES you wish to target.
3. Select your security group in the results.
4. Then click the "SELECT" button.
5. Click the "NEXT" button to continue.
>> Script deployment Review + add
Make sure that all the Basics, Script settings, and Assignments are correct. Then click the "ADD" button to complete the deployment.
You have now completed all the steps!
>> Conclusion
Migrating Bitlocker to Azure AD, using Intune to escrow the existing Keyprotectors with a PowerShell script is possible. And I am very keen on hearing what other ways the community has come up with!