Existing / In Use / Already Encrypted W10 Devices - BL Keys to Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-1221825%22%20slang%3D%22en-US%22%3EExisting%20%2F%20In%20Use%20%2F%20Already%20Encrypted%20W10%20Devices%20-%20BL%20Keys%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221825%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20port%20BitLocker%20keys%20on%20existing%20%2F%20in%20use%20devices%20that%20have%20already%20been%20encrypted%20(manually%20or%20outwith%20Intune)%20to%20Azure%20AD%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInfo%20appreciated%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1221825%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224777%22%20slang%3D%22en-US%22%3ERe%3A%20Existing%20%2F%20In%20Use%20%2F%20Already%20Encrypted%20W10%20Devices%20-%20BL%20Keys%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224777%22%20slang%3D%22en-US%22%3EFirst%20have%20a%20policy%20in%20place%20that%20saves%20the%20key%20to%20AAD%2C%20then%20you%20would%20have%20to%20force%20a%20key%20rotation%20for%20every%20device.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1234779%22%20slang%3D%22en-US%22%3ERe%3A%20Existing%20%2F%20In%20Use%20%2F%20Already%20Encrypted%20W10%20Devices%20-%20BL%20Keys%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1234779%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20can%20you%20elaborate%20on%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1235067%22%20slang%3D%22en-US%22%3ERe%3A%20Existing%20%2F%20In%20Use%20%2F%20Already%20Encrypted%20W10%20Devices%20-%20BL%20Keys%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1235067%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20be%20my%20way%20of%20working%3A%3C%2FP%3E%3CP%3E-%20Create%20an%20Intune%20policy%20to%20enable%20encryption%20and%20store%20the%20key%20in%20AAD%3C%2FP%3E%3CP%3E-%20Disable%20the%20policy%20in%20the%20local%20AD%3C%2FP%3E%3CP%3E-%20Force%20a%20key%20rotation%20on%20all%20machines%20(%3CA%20href%3D%22https%3A%2F%2Fwww.scconfigmgr.com%2F2019%2F11%2F20%2Fenable-bitlocker-key-rotation-for-intune-managed-devices%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.scconfigmgr.com%2F2019%2F11%2F20%2Fenable-bitlocker-key-rotation-for-intune-managed-devices%2F%3C%2FA%3E)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Hi All

 

Is there a way to port BitLocker keys on existing / in use devices that have already been encrypted (manually or outwith Intune) to Azure AD?

 

Info appreciated

3 Replies
First have a policy in place that saves the key to AAD, then you would have to force a key rotation for every device.

@Thijs Lecomte 

 

Hey can you elaborate on this?

 

Regards

Hi @Stuart King 

 

This would be my way of working:

- Create an Intune policy to enable encryption and store the key in AAD

- Disable the policy in the local AD

- Force a key rotation on all machines (https://www.scconfigmgr.com/2019/11/20/enable-bitlocker-key-rotation-for-intune-managed-devices/)