Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
MBAM Server Migration To Microsoft Endpoint Manager
Published Mar 08 2021 03:36 AM 46.3K Views


Dear IT Pros, 

Today we discuss about MBAM's Bitlocker data migration to MEM


Microsoft provides a range of flexible BitLocker management alternatives to meet  organization’s needs, as follows:

  1. Cloud-based BitLocker management using Microsoft Endpoint Manager.
  2. On-premises BitLocker management using System Center Configuration Manager
  3. Microsoft BitLocker Administration and Monitoring (MBAM) ended support on 7/9/2019, extended support 4/14/2026.

In order to future proof the Bitlocker Management and simplify the administration, some corporates have planned to migrate MBAM data directly from MBAM servers to Microsoft Endpoint Manager. The key point of the migration is that, making sure the amount of the recovery key IDs listed by MBAM Server are the same as the ones listed by Azure AD before the cut-off point of time in the migration process. I would suggest the a migration process with 5 steps.

Migration steps:

  1. Generate a list of Bitlocker recovery keys in MBAM SQL Server
  2. Setup MEM Policy to escrow Bitlocker recovery passwords to Azure AD Device Accounts.
  3. Generate a list of Bitlocker recovery keys by Graph API in Azure AD, also generate a list of devices failed to escrow their keys
  4. Compare list and make manually escrow of recovery keys to Azure AD
  5. Shutdown MBAM Server and decommission them.

Now we would look into the detail steps.

1. Generate a list of Bitlocker recovery keys in MBAM SQL Server:

  • To backup the recovery keys by SQL:
    Open the SQL Management Studio, and Expand the MBAM_Recovery_and_Hardware database.
  •   Under Tables, Select RecoveryAndHardwareCore.Keys.
  •   Right-Click RecoveryAndHardwareCore.Keys, and Select Top 1000 Rows.



  •   This should create a query that will give you a list of all RevoveryKeyID’s and RecoveryKey’s in the Database.




You could modify the above query for more rows with SELECT TOP nnnnn instead of 1000 (rows)

2. Setup MEM Policy to escrow Bitlocker recovery passwords to Azure AD Device Accounts.

2.1 Make 2 device groups: Bitlocker GPO devices and Bitlocker MEM devices

During the transition period, you will migrating batch by batch the devices from the “Bitlocker GPO    devices group” to the “Bitlocker MEM devices group”.

2.2 Manage BitLocker using Microsoft Endpoint Manager – Intune

In Microsoft Endpoint Manager admin center.

  • Select Endpoint security > Disk encryptionand then
  •  Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.



creating a new Microsoft BitLocker policy in Microsoft Endpoint Manager

  • Next, enter the basics, such as the name of the policy and an optional description, then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings. Also notice the options offered for key rotation. This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.



Create an Endpoint Security profile in Microsoft Endpoint Manager

  • As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.



Configuring BitLocker settings in Microsoft Endpoint Manager

  • Finally, add Scope tags, assign the new policy to the “Bitlocker MEM devices” group, and select Create.

The settings that can be configured here include:

  • BitLocker – Base Settings
    • Enable full disk encryption for OS and fixed data drives
    • Require storage cards to be encrypted (mobile only)
    • Hide Prompt about third-party encryption
    • Configure client-driven recovery password rotation
  • BitLocker – Fixed Drive Settings
    • BitLocker fixed drive policy
  • BitLocker – OS Drive Settings
    • BitLocker system drive policy
  • BitLocker – Removable Drive Settings
    • BitLocker removable drive settings

2.2 For End Users To get the Bitlocker Recovery Key

Option 1, Using the Azure Management Portal

  • Open the Azure AD resource object in the Management Portal

  • Go to the All Users object and search for the account associated to the device.
  • Click the user object name to view the profile properties.



              Go to the Devices object under the Manage heading.

  • Select the appropriate listed device.



If the device is registered with Bitlocker encryption, then the Bitlocker Key ID and Recovery Key will be visible.


  • Click the Copy to Clipboard button and paste the data to view the entire string.

Option 2, Using the Microsoft Endpoint Manager Admin Center Portal

  • Open the admin center
  • Go the Devices blade                    
  • Search for the appropriate target device
  • In the “Monitor” section, find and click on “Recovery keys”

Click the Copy to Clipboard button and paste the data to view the entire string.


Option 3, Using the Company Portal website to get MacOS Recovery Key:

  • Sign into the Intune Company Portal website from any device.
  • In the portal, go to Devices and select the macOS device that is encrypted with FileVault.
  • Select Get recovery key. The current recovery key is displayed.

On an iPhone, you must select the three dots before the Get recovery key option appears.


  2.3 Force current MBAM devices to backup recovery password keys to MEM by script

From Endpoint Manager Portal, you could deploy to all Windows 10 devices the script to force current MBAM Clients to backup their recovery password keys to Azure AD. You could use the Github's powershell script provided by Michael Mardahl as per the "How to migrate Bitlocker to Azure AD" article


3. Generate a list of Bitlocker recovery key IDs by Graph API in Azure AD

3.1 Export list of recovery keys from Azure AD

  • The BitLocker Recovery Keys are stored in Azure AD, and there is Graph API (beta) to export the whole recovery key IDs by Graph Explorer



Return type


List recoveryKeys

bitlockerRecoveryKey collection

Get a list of the bitlockerRecoveryKey objects and

 their properties.

Get bitlockerRecoveryKey


Retrieve the properties and relationships of a bitlockerRecoveryKey object.

Note: The key property is not returned by default.

Prerequisite for Bitlocker Graph API

a.  Register an App API in Azure AD. Example of an bitlocker client app created

                > App Registration > New registration, Create, …



b.  Assign permission: Read all or Read basic of bitlocker data:



c.  Delegate permission for App to receive BitLockerRecoveryKey data on behalf of the signed-in User and grant admin consent:


d.  Signed-in User needed to be assigned one of the following roles:

Global administrator

Cloud device administrator

Helpdesk administrator

Intune service administrator

Security administrator

Security reader

Global reader

3.2 Steps to get Bitlocker Recovery Password List

  • Sign into Graph Explorer as Global Admin or Intune Admin,

            Graph Explorer - Microsoft Graph



> Choose the permission to read Bitlocker ‘s properties as shown here: 




 >  In the search box: typing bitlocker to search for bitlocker permissions 


          > Choose the permission to read Bitlocker ‘s properties as shown here:





       >  Sign-in,  

       >  Check the box “Consent on behalf of your Organization” 

       >  Make Query with the HTTP Graph beta and Header as shown here: 

                   GET, V1.0, 

                   Request headers:  Adding the keys 

                                   Ocp-client-name: anything (you could use your application API name registered                                                                    in Azure AD  

                                   Ocp-client-version: 1 

          >  Run Query



  • The current list of JSON is limited to 999 items. 
  • Copy the JSON list and make a csv file from the query result by convert tool, the tool could be a PowerShell converter or your trusted onlineconverting JSON to csv Website. Please consider to use the online tool at your own risk.
  • Result shown only 7 records per page, you may want to click on next page to view the next 7 recordsTanTran_1-1615225349157.png
  • To export more than 1000 items, you could use the Github' script provided by Nickolaj Anderson as described in the "Get Intune Managed Devices without an escrowed bitlocker recovery key using PowerShell"
  • An Example of converting JSON to CSV file: 



3.3 To monitor the status of Bitlocker device: 

The Microsoft Intune encryption report is a centralized location to view details about a device's encryption status and find options to manage device recovery keys. The recovery key options that are available depend on the type of device you're viewing. 

Select Devices 

> Monitorand then  

under Configuration, selectEncryption report. 

  •   To View encryption details

The encryption report shows common details across the supported devices you manage. The following sections provide more details about the information that MEM presents in the report.

Encryption readiness

Ready: The device can be encrypted by using MDM policy, which requires MacOS10.13 or later, Windows with TPM and  Enterprise version 1709 or Pro 1809

Not ready

The device doesn't have full encryption capabilities, but may still support encryption.

Not applicable

There isn't enough information to classify this device.

Encryption status

Whether the OS drive is encrypted

When you select a device from the Encryption report, MEM displays the Device encryption status pane with the following detail:


A list of the Device configuration profiles that apply to this device·   

  •       macOS:    Profile type = Endpoint protectiono    Settings > FileVault > FileVault = Enable·        
  • Windows 10:  Profile type = Endpoint protectiono    Settings > Windows Encryption > Encrypt devices = Require 

Encryption readiness

TPM status is ready for bitlocker encryption or not

(the device can still be manually encrypted. or through a MDM/Group Policy setting that can be set to allow encrypting without a TPM.)

Encryption status

Whether the OS drive is encrypted. It can take up to 24 hours for MEM to report

For Windows devices, this field does not look at whether other drives, such as fixed drives, are encrypted


Status details

This field displays information for each applicable error that can be detected. You can use this information to understand why a device might not be encryption ready:


·         The recovery key hasn't been retrieved and stored yet,

·         The user is deferring encryption or is currently in the process of encryption.

·         The device is already encrypted. Device user must decrypt the device to continue.

·         FileVault needs the user to approve their management profile in macOS Catalina and higher.

·         Unknown


·         The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard on the OS volume.

·         The encryption method of the OS volume doesn't match the BitLocker policy.

·         The policy BitLocker requires a TPM protector, or PIN, or Startup Key.

·         Recovery key backup failed.

·         A fixed drive is unprotected.

·         The encryption method of the fixed drive doesn't match the BitLocker policy.

·         To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.

·         Windows Recovery Environment (WinRE) isn't configured.

·         The TPM isn't ready for BitLocker.

·         The network isn't available.


3.4 To view list of Unencrypted devices:

We need to know if the Devices ever backup the recovery keys to Azure AD. Jos Lieben provided the script to generate a report about the devices who have not been escrowed the bitlocker recovery key to Azure AD.

Download the Get-bitlockerEscrowStatusForAzureADDevices.ps1script from Github


4. Compare between lists and make manually escrow of recovery keys to Azure AD

Use the Excel spreadsheet’s comparing feature to make sure no discrepancy between the 2 files. One CSV file who listed the Recovery Password Key IDs from MBAM Database and one listed the Key IDs from Azure AD. There should be no difference.

You could repeat step 2.3 mentioned above to deploy a script for backing up the Bitlocker Recovery Keys to Azure AD, assign script to the group of devices without keys in AAD.

5. Shutdown MBAM Server and decommission them.

  • Correct any problem with the devices who are missing recovery passwords in Azure AD or MEM
  • Power off the MBAM Server for 2 months (optional),
  • Backup and Remove the MBAM Database.
  • Decommission the MBAM Servers.


I hope the information is useful for your migration plan and deployment.

Thanks for viewing and discussing this topic.






The sample scripts are not supported under any Microsoft standard support program or service. 
The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all
implied warranties including, without limitation, any implied warranties of merchantability or of
fitness for a particular purpose. The entire risk arising out of the use or performance of the
sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or
anyone else involved in the creation, production, or delivery of the scripts be liable for any
damages whatsoever (including, without limitation, damages for loss of business profits,
business interruption, loss of business information, or other pecuniary loss) arising out of
the use of or inability to use the sample scripts or documentation, even if Microsoft has been
advised of the possibility of such damages.


Version history
Last update:
‎Mar 15 2021 09:42 AM
Updated by: