top of page
Search

Bulk Rotating BitLocker Recovery Keys via Powershell and Graph API in Intune

  • Writer: Matt Hinson
    Matt Hinson
  • Aug 9, 2024
  • 6 min read

You're an Intune administrator. You click on a device record and see all the different actions you can do for a single device record and you wonder "hmmmm, can I do this action for more than just one device at a time?". The answer is YES! But it is not without much trial and tribulation. Like SQL to Configuration Manager, Graph API is to Intune. Graph API is the backend "repository" or "database" to Intune like SQL is to Configuration Manager. SQL has functions, sprocs (stored procedures), views, tables, etc. Graph API is very similar, albeit much flatter in nature. Which makes it more challenging to work with. The way you do one task, like bulk rotating BitLocker recovery keys, is nothing like another task, assigning Group Tags to Autopilot devices programmatically (a future blog post). So let's dive into it and break it down piece by piece so we fully understand the process of bulk rotation of Bitlocker Recovery keys in Intune.



Before we dive into the specifics, there are different device states - Entra ID Joined and Hybrid Joined. There is also Intune managed and co-managed to add to the matrix of different device states that must be accounted for when configuring the solution presented in this blog. Specifically for hybrid joined devices that are also Configuration Manager clients or co-managed clients, there are additional steps, such as ensuring co-management sliders are configured proper and there are no conflicting GPOs for Bitlocker. For hybrid devices, it needs to be understood that GPO is king. And before some smarty pants thinks "well, you can configure MDM Always Wins policy", yes you can! Except that MDM Always Wins policy only applies to settings in the Policy CSP tree whereas Bitlocker CSP is it's own tree and thus the MDM Always Wins policy does not apply. For the sake of this blog, we will be dealing with Entra ID joined only devices. If you have any questions regarding hybrid devices, drop a comment and I'll be glad to answer.


Plumbing


First things first, we need to setup the plumbing for Bitlocker Recovery Key rotation. Thankfully, your favorite Microsoft engineer has done the legwork for you in understanding the documentation for what is needed to configure this. Per the following link:


Rotate BitLocker recovery keys

You can use an Intune device action to remotely rotate the BitLocker recovery key of a device that runs Windows 10 version 1909 or later, and Windows 11.

Prerequisites

Devices must meet the following prerequisites to support rotation of the BitLocker recovery key:

  • Devices must run Windows 10 version 1909 or later, or Windows 11

  • Microsoft Entra joined and Microsoft Entra hybrid joined devices must have support for key rotation enabled via BitLocker policy configuration:

    • Client-driven recovery password rotation to Enable rotation on Microsoft Entra joined devices or Enable rotation on Microsoft Entra ID and Microsoft Entra joined hybrid joined devices

    • Save BitLocker recovery information to Microsoft Entra ID to Enabled

    • Store recovery information in Microsoft Entra ID before enabling BitLocker to Required


So we have 3 settings we must configure as a policy on the Intune side so that Bitlocker Key rotation will work, even natively, by clicking the device action on the device record in Intune, much less with a script. So let's do it!


Open up your Intune console and go to Devices > Configuration. On the Configuration blade, click Policies, then the +Create button and then the +Policy button. When the Create a Profile blade appears, choose Windows 10 and later as the Platform and Templates for the Profile type. For Profile type, choose Endpoint Protection and then click Create

On the Endpoint Protection blade, on the Basic tab, give the profile a name such as 'Bitlocker Policy' and click Next


On the Configuration Settings blade, expand Windows Encryption. You can enable any settings you wish to go along with the required settings for your Bitlocker policy, but for Bitlocker Key Rotation, the following must be set to work properly with the native Bitlocker Key Rotation and script-based Bitlocker Key Rotation

When finished, click Next. On the Assignments blade, add the group or groups of devices you wish to apply these setting too. Click Next on Applicability Rules screen and then Create on the Review + Create screen to create your policy. The Backend


Depending on your rights, you may need to involve an Entra ID administrator to add delegated permissions on the Microsoft Graph Command Line Tools enterprise app registration in Entra ID. I mention this as there is no need to create your own Enterprise app registration to interact with Graph API. This one is already provided for you. If you need an admin to delegate permissions for you, you will need the following:



If you have permissions to consent to permissions on Enterprise App registrations, you do not need to add them directly to the app as you can consent to the permissions when you execute the script for rotating the Bitlocker Recovery Keys.

The Script


Let's take a look at the script and break it down so it's understood bit by bit. The script can be downloaded from GitHub here - content/Graph-RotateBLKey.ps1 at main · ninjacat72/content (github.com)


Let's take a look at the first block of code:

Lines 1 and 2 have you installing the Microsoft.Graph module as such is needed to execute the script from your local device. Ensure you run just these lines first so you can get the module installed. Once installed, you can safely comment out line 2 by adding a '#' at the beginning of line 2.


Lines 4 and 5 have you authenticate to Graph with the scopes you wish to interact with using the Connect-MgGraph cmdlet. As mentioned earlier in the blog, if you have rights to consent, when you execute the script, you'll be asked to consent to delegated permissions to the scopes listed in line 5.


Lines 7 and 8 have you define an Entra ID group ID. You can obtain the group ID from an Entra ID group by looking at the properties of the group in Entra ID. Before some smarty pants comes in and says "well you can do this with Azure Key Vault and stored credentials to fully automate". Why yes you can! But time is money and this method is the quick and dirty way while you spend time coding all that automation. If you wish to run the script on more than one group, simply copy or alter the script to include the different group IDs. It is also possible to add multiple groups to an array so you can handle more than one at a time, but again, quick and dirty.


Lines 10 and 11 get the devices that are in the group you have specified using Get-MgGroupMember based on the groupID in line 8. This cmdlet will load all devices and their properties including the Entra ID device ID. Lines 12 and 13 get the devices that are enrolled into Intune with the Get-MgDeviceManagementManagedDevice cmdlet to populate all properties, including the Intune device ID. Both blocks of code are preparing the rest of the script to associate the Entra ID device ID to the Intune device IDs of the members in the Entra ID group specified in the group.


NOTE: When calling the members in the group from lines 10 and 11, the devices are given an Object ID. This does not match the Entra ID device ID or the Intune device ID. So more code is needed to discern and get the Intune device ID so we can call the rotateBitlockerKey function in Graph API. Let us continue on in the script!


Lines 16 through 41 comprise the meat of the script. Lines 17-23 is getting the Entra device ID from the device records that are returned from the Entra ID group query prior.


Lines 25-30 are querying the Entra ID device ID and matching it to the Intune device ID and adding the Intune device ID to a variable for the Graph API call of the rotateBitlockerKeys function seen in line 33.


Lines 32-40 are executing the Graph API call for the rotateBitlockerKeys function for the Intune device ID that was found in lines 25-30 of the script. After the script is run, you will see the following on any device record that was in the group specified in the script.


Now let's run the script!


When you execute the script, you will asked to authenticate. Login in with your credentials. You will then be asked to consent to the delegated permissions. Consent as needed. If you cannot consent, have an Entra ID admin add permissions for you to the Enterprise app registration in Entra ID. Once you authenticate and consent and the script executes, you should see something like this




It does require a device to be online and to sync for the Bitlocker Recovery key to successfully rotate. When it completes, you will see this in the Intune console for the device record.



And if you click on Recovery Keys to the left, you will see the key was successfully rotated via the date of escrow. The newly rotated key will be the first one listed and you can validate it by looking at the date of escrow as seen in the screenshot below.



Conclusion


And that's it! You can now successfully rotate Bitlocker Recovery Keys in bulk via Entra ID group as you wish!


I hope you enjoyed this blog! Please feel free to leave any comments below and if you have any issues, please let me know!

 
 
 

Musings from a Microsoft Engineer

DISCLAIMER:

​

The expressions of this site are not in any way affiliated with Microsoft Corporation and are solely that of the site owner.  Any blogs with step-by-step instructions, provided scripts, or any other media are to be accepted AS-IS by the reader.  The blog authors accept no responsibility or liability for any actions or outcomes taken by the reader pursuant to implementing any script, performing any action, or following any of the step-by-step instructions provided in their environments.

bottom of page