Bitlocker Migration from On-prem to Intune


Need suggestion what are the possible ways to shift the Bitlocker key from an On-prem environment to Azure AD. After migrating the co-managed machines to Intune.

What approach do you suggest?

  • Take a backup of Bitlocker keys to Azure AD
  • Decrypt and then encrypt the device using Intune (It is going to be time taking and may affect the computer if process get disrupted in between )
  • Bitlocker key rotation – (I am still reading about it, but not sure how it works)

Answers ( 2 )


    you can use a script which will enforce key sync to On prem and Azure. This will give you more options to recover. You will also gets the PS script to push on machines and sync the keys to both the places.


      Below are the steps I followed:

      1. I have created a PowerShell as per our requirement.
      #fetch the key
      $BitLockerVolume = Get-BitLockerVolume -MountPoint $BitlockerDrive
      $KeyProtector = $BitLockerVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq ‘RecoveryPassword’ }

      #To back up key into Azure
      BackupToAAD-BitLockerKeyProtector -MountPoint $BitlockerDrive -KeyProtectorId $BitlockerKey -ErrorAction SilentlyContinue

      2. Then Deployed the PowerShell using Intune.
      3. Monitored the results.
      4. Checked whether the Recovery key is updated in Portal or not.

      So far things are working fine as expected.

      Best answer

Leave an answer

Sorry, you do not have permission to answer to this question .