This article is contributed. See the original author and article here.


Dear IT Pros, 

Today we discuss about MBAM’s Bitlocker data migration to MEM


Microsoft provides a range of flexible BitLocker management alternatives to meet  organization’s needs, as follows:

  1. Cloud-based BitLocker management using Microsoft Endpoint Manager.

  2. On-premises BitLocker management using System Center Configuration Manager

  3. Microsoft BitLocker Administration and Monitoring (MBAM) ended support on 7/9/2019, extended support 4/14/2026.

To future proof the Bitlocker Management and simplify the administration, some corporates have planned to migrate MBAM data directly from MBAM servers to Microsoft Endpoint Manager. The key point of the migration is that, making sure the amount number of recovery keys listed by MBAM Server are the same as the ones listed by Azure AD before the cut-off point of time in the migration process.


Migration steps:

  1. Generate a list of Bitlocker recovery keys in MBAM SQL Server

  2. Setup MEM Policy to escrow Bitlocker recovery passwords to Azure AD Device Accounts.

  3. Generate a list of Bitlocker recovery keys by Graph API in Azure AD, also generate a list of devices failed to escrow their keys

  4. Compare list and make manually escrow of recovery keys to Azure AD

  5. Shutdown MBAM Server and decommission them.

Now we would look into the detail steps.


  1. Generate a list of Bitlocker recovery keys in MBAM SQL Server:

    • To backup the recovery keys by SQL:
      Open the SQL Management Studio, and Expand the MBAM_Recovery_and_Hardware database.

    •   Under Tables, Select RecoveryAndHardwareCore.Keys.

    •   Right-Click RecoveryAndHardwareCore.Keys, and Select Top 1000 Rows.



  •   This should create a query that will give you a list of all RevoveryKeyID’s and RecoveryKey’s in the Database.




You could modify the above query for more rows with SELECT TOP nnnnn instead of 1000 (rows)

2 Setup MEM Policy to escrow Bitlocker recovery passwords to Azure AD Device Accounts.

2.1 Make 2 device groups: Bitlocker GPO devices and Bitlocker MEM devices

During the transition period, you will migrating batch by batch the devices from the “Bitlocker GPO    devices group” to the “Bitlocker MEM devices group”.

2.2 Manage BitLocker using Microsoft Endpoint Manager – Intune

In Microsoft Endpoint Manager admin center.

  • Select Endpoint security > Disk encryptionand then

  •  Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.



creating a new Microsoft BitLocker policy in Microsoft Endpoint Manager

  • Next, enter the basics, such as the name of the policy and an optional description, then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings. Also notice the options offered for key rotation. This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.



Create an Endpoint Security profile in Microsoft Endpoint Manager

  • As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.



Configuring BitLocker settings in Microsoft Endpoint Manager

  • Finally, add Scope tags, assign the new policy to the “Bitlocker MEM devices” group, and select Create.

The settings that can be configured here include:

  • BitLocker – Base Settings

    • Enable full disk encryption for OS and fixed data drives

    • Require storage cards to be encrypted (mobile only)

    • Hide Prompt about third-party encryption

    • Configure client-driven recovery password rotation

  • BitLocker – Fixed Drive Settings

    • BitLocker fixed drive policy

  • BitLocker – OS Drive Settings

    • BitLocker system drive policy

  • BitLocker – Removable Drive Settings

    • BitLocker removable drive settings

2.2 For End Users To get the Bitlocker Recovery Key

Option 1, Using the Azure Management Portal

  • Open the Azure AD resource object in the Management Portal

  • Go to the All Users object and search for the account associated to the device.

  • Click the user object name to view the profile properties.



              Go to the Devices object under the Manage heading.

  • Select the appropriate listed device.



If the device is registered with Bitlocker encryption, then the Bitlocker Key ID and Recovery Key will be visible.





  • Click the Copy to Clipboard button and paste the data to view the entire string.

Option 2, Using the Microsoft Endpoint Manager Admin Center Portal

  • Open the admin center

  • Go the Devices blade                    

  • Search for the appropriate target device

  • In the “Monitor” section, find and click on “Recovery keys”

Click the Copy to Clipboard button and paste the data to view the entire string.

   Option 3, Using the Company Portal website to get MacOS Recovery Key:

  • Sign into the Intune Company Portal website from any device.

  • In the portal, go to Devices and select the macOS device that is encrypted with FileVault.

  • Select Get recovery key. The current recovery key is displayed.

On an iPhone, you must select the three dots before the Get recovery key option appears.


  1. Generate a list of Bitlocker recovery keys by Graph API in Azure AD

3.1 Export list of recovery keys from Azure AD

  • The BitLocker Recovery Keys are stored in Azure AD, and there is Graph API (beta) to export the whole recovery keys by Graph Explorer



Return type


List recoveryKeys

bitlockerRecoveryKey collection

Get a list of the bitlockerRecoveryKey objects and

 their properties.

Get bitlockerRecoveryKey


Retrieve the properties and relationships of a bitlockerRecoveryKey object.

Note: The key property is not returned by default.


3.2 Steps to get Bitlocker Recovery Password List

  • Sign into Graph Explorer as Global Admin or Intune Admin,

            Graph Explorer – Microsoft Graph






  • Choose the permission to read Bitlocker ‘s properties as shown here:






  • In the search box: typing bitlocker to search for bitlocker permissions



  • Choose the Bitlocker permission Read Basic or Read All:



  • Choose Consent and Sign-in,



Ocp-client-name: anything (you could use your application API name registered in Azure AD

Ocp-client-version: 1




  • The current list of JSON is limited to 999 items.

  • Copy the JSON list and make a csv file from the query result by convert tool, the tool could be powershell converter or your trusted online, converting JSON to csv Website.

Example of converting JSON to CSV file:




3.3 To monitor the status of Bitlocker device:

The Microsoft Intune encryption report is a centralized location to view details about a device’s encryption status and find options to manage device recovery keys. The recovery key options that are available depend on the type of device you’re viewing.

> Select Devices 

>Monitor, and then

> under Configuration, select Encryption report.

  •   To View encryption details

The encryption report shows common details across the supported devices you manage. The following sections provide more details about the information that MEM presents in the report.

Encryption readiness

Ready: The device can be encrypted by using MDM policy, which requires MacOS10.13 or later, Windows with TPM and  Enterprise version 1709 or Pro 1809

Not ready

The device doesn’t have full encryption capabilities, but may still support encryption.

Not applicable

There isn’t enough information to classify this device.

Encryption status

Whether the OS drive is encrypted

When you select a device from the Encryption report, MEM displays the Device encryption status pane with the following detail:


A list of the Device configuration profiles that apply to this device·   

  •       macOS:    Profile type = Endpoint protectiono    Settings > FileVault > FileVault = Enable·        

  • Windows 10:  Profile type = Endpoint protectiono    Settings > Windows Encryption > Encrypt devices = Require 

Encryption readiness

TPM status is ready for bitlocker encryption or not

(the device can still be manually encrypted. or through a MDM/Group Policy setting that can be set to allow encrypting without a TPM.)

Encryption status

Whether the OS drive is encrypted. It can take up to 24 hours for MEM to report

For Windows devices, this field does not look at whether other drives, such as fixed drives, are encrypted


Status details

This field displays information for each applicable error that can be detected. You can use this information to understand why a device might not be encryption ready:


·         The recovery key hasn’t been retrieved and stored yet,

·         The user is deferring encryption or is currently in the process of encryption.

·         The device is already encrypted. Device user must decrypt the device to continue.

·         FileVault needs the user to approve their management profile in macOS Catalina and higher.

·         Unknown


·         The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard on the OS volume.

·         The encryption method of the OS volume doesn’t match the BitLocker policy.

·         The policy BitLocker requires a TPM protector, or PIN, or Startup Key.

·         Recovery key backup failed.

·         A fixed drive is unprotected.

·         The encryption method of the fixed drive doesn’t match the BitLocker policy.

·         To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.

·         Windows Recovery Environment (WinRE) isn’t configured.

·         The TPM isn’t ready for BitLocker.

·         The network isn’t available.


3.4 To view list of Unencrypted device:

We need to know if the Devices ever backup the recovery keys to Azure AD. Jos Lieben provided the script to generate a report about the devices who have not been escrowed the bitlocker recovery key to Azure AD.

Download the Get-bitlockerEscrowStatusForAzureADDevices.ps1script from Github


4. Compare list and make manually escrow of recovery keys to Azure AD

Use the Excel spreadsheet’s comparing feature to make sure no discrepancy between the 2 files.


5. Shutdown MBAM Server and decommission them.

  • Correct any problem with the devices who are missing recovery passwords in Azure AD or MEM

  • Power off the MBAM Server for 2 months (optional),

  • Backup and Remove the MBAM Database.

  • Decommission the MBAM Servers.


I hope the information is useful for your migration plan and deployment.

Thanks for viewing and discussing this topic.




The sample scripts are not supported under any Microsoft standard support program or service.
The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all
implied warranties including, without limitation, any implied warranties of merchantability or of
fitness for a particular purpose. The entire risk arising out of the use or performance of the
sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or
anyone else involved in the creation, production, or delivery of the scripts be liable for any
damages whatsoever (including, without limitation, damages for loss of business profits,
business interruption, loss of business information, or other pecuniary loss) arising out of
the use of or inability to use the sample scripts or documentation, even if Microsoft has been
advised of the possibility of such damages.


Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: