MBAM Server Migration To Microsoft Endpoint Manager


Dear IT Pros, 

Today we discuss about MBAM's Bitlocker data migration to MEM

Microsoft provides a range of flexible BitLocker management alternatives to meet  organization's needs, as follows:

  1. Cloud-based BitLocker management using Microsoft Endpoint Manager.
  2. On-premises BitLocker management using System Center Configuration Manager
  3. Microsoft BitLocker Administration and Monitoring (MBAM) ended support on 7/9/2019, extended support 4/14/2026.

In order to future proof the Bitlocker Management and simplify the administration, some corporates have planned to migrate MBAM data directly from MBAM servers to Microsoft Endpoint Manager. The key point of the migration is that, making sure the amount number of keys listed by MBAM Server are the same as the ones listed by before the cut-off point of time in the migration process. I would suggest the a migration process included 5 steps.

Migration steps:

  1. Generate a list of Bitlocker keys in MBAM SQL Server
  2. Setup MEM Policy to escrow Bitlocker passwords to Azure AD Device Accounts.
  3. Generate a list of Bitlocker recovery keys by Graph API in Azure AD, also generate a list of devices failed to escrow their keys
  4. Compare list and make manually escrow of recovery keys to Azure AD
  5. Shutdown MBAM Server and decommission them.

Now we would look into the detail steps.

  1. Generate a list of Bitlocker recovery keys in MBAM SQL Server:
    • To backup the recovery keys by SQL:
      Open the SQL Management Studio, and Expand the MBAM_Recovery_and_Hardware database.
    •   Under Tables, Select RecoveryAndHardwareCore.Keys.
    •   Right-Click RecoveryAndHardwareCore.Keys, and Select Top 1000 Rows.


  •   This should create a query that will give you a list of all RevoveryKeyID's and RecoveryKey's in the Database.


You could modify the above query for more rows with SELECT TOP nnnnn instead of 1000 (rows)

2 Setup MEM Policy to escrow Bitlocker recovery passwords to Azure AD Device Accounts.

2.1 Make 2 device groups: Bitlocker GPO devices and Bitlocker MEM devices

During the transition period, you will migrating batch by batch the devices from the “Bitlocker GPO    devices group” to the “Bitlocker MEM devices group”.

2.2 Manage BitLocker using Microsoft Endpoint Manager – Intune

In Microsoft Endpoint Manager admin center.

  • Select Endpoint security > Disk encryptionand then
  •  Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.


creating a new Microsoft BitLocker policy in Microsoft Endpoint Manager

  • Next, enter the basics, such as the name of the policy and an optional description, then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings. Also notice the options offered for key rotation. This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.


Create an Endpoint Security profile in Microsoft Endpoint Manager

  • As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.


Configuring BitLocker settings in Microsoft Endpoint Manager

  • Finally, add Scope tags, assign the new policy to the “Bitlocker MEM devices” group, and select Create.

The settings that can be configured here include:

  • BitLocker – Base Settings
    • Enable full disk encryption for OS and fixed data drives
    • Require storage cards to be (mobile only)
    • Hide Prompt about third-party encryption
    • Configure client-driven recovery password rotation
  • BitLocker – Fixed Drive Settings
    • BitLocker fixed drive policy
  • BitLocker – OS Drive Settings
  • BitLocker – Removable Drive Settings
    • BitLocker removable drive settings

2.2 For End Users To get the Bitlocker Recovery Key

Option 1, Using the Portal

  • Open the Azure AD resource object in the Management Portal

  • Go to the All Users object and search for the account associated to the device.
  • Click the user object name to view the profile properties.


              Go to the Devices object under the Manage heading.

  • Select the appropriate listed device.


If the device is registered with Bitlocker encryption, then the Bitlocker Key ID and Recovery Key will be visible.



  • Click the Copy to Clipboard button and paste the data to view the entire string.

Option 2, Using the Microsoft Endpoint Manager Portal

  • Open the
  • Go the Devices blade                    
  • Search for the appropriate target device
  • In the “Monitor” section, find and click on “Recovery keys”

Click the Copy to Clipboard button and paste the data to view the entire string.

   Option 3, Using the Company Portal website to get MacOS Recovery Key:

  • Sign into the Intune Company Portal website from any device.
  • In the portal, go to Devices and select the macOS device that is with FileVault.
  • Select Get recovery key. The current recovery key is displayed.

On an iPhone, you must select the three dots before the Get recovery key option appears.

  1. Generate a list of Bitlocker recovery keys by Graph API in Azure AD

3.1 Export list of recovery keys from Azure AD

  • The BitLocker Recovery Keys are stored in Azure AD, and there is Graph API (beta) to export the whole recovery keys by Graph Explorer
Method Return type Description
List recoveryKeys bitlockerRecoveryKey collection Get a list of the bitlockerRecoveryKey objects and

 their properties.

Get bitlockerRecoveryKey bitlockerRecoveryKey Retrieve the properties and relationships of a bitlockerRecoveryKey object.

Note: The key property is not returned by default.

3.2 Steps to get Bitlocker Recovery Password List

  • Sign into Graph Explorer as Global Admin or Intune Admin,

            Graph Explorer – Microsoft Graph


> Choose the permission to readBitlocker‘s properties as shown here: 


 >  In the search box: typingbitlockerto search forbitlockerpermissions 


          > Choose the permission to read Bitlocker ‘s properties as shown here:



       >  Sign-in,  

       >  Check the box “Consent on behalf of your Organization” 

       >  Make Query with the HTTP Graph beta and Header as shown here: 

                   GET, V1.0, 

                   Request headers:  Adding the keys 

                                   Ocp-client-name: anything (you could use your application API name registered                                                                    in Azure AD  

                                   Ocp-client-version: 1 

          >  Run Query


  • The current list of JSON is limited to 999 items. 
  • Copy the JSON list and make a csv file from the query result by convert tool, the tool could be powershell converter or your trusted online, converting JSON to csv Website. Please consider to use the online tool at your own risk.
  • Result shown only 7 records per page, you may want to click on next page to view the next 7 records
  • TanTran_1-1615225349157.pngAn Example of converting JSON to CSV file: 


3.3 To monitor the status of Bitlocker device: 

The Microsoft Intune encryption report is a centralized location to view details about a device's encryption status and find options to manage device recovery keys. The recovery key options that are available depend on the type of device you're viewing. 

> Select Devices 

> Monitorand then  

under Configuration, selectEncryption report. 

  •   To View encryption details

The encryption report shows common details across the supported devices you manage. The following sections provide more details about the information that MEM presents in the report.

Encryption readiness Ready: The device can be by using MDM policy, which requires MacOS10.13 or later, Windows with TPM and  Enterprise version 1709 or Pro 1809
Not ready The device doesn't have full encryption capabilities, but may still support encryption.
Not applicable There isn't enough information to classify this device.
Encryption status Whether the OS drive is encrypted

When you select a device from the Encryption report, MEM displays the Device encryption status pane with the following detail:

A list of the Device configuration profiles that apply to this device·   

  •       macOS:    Profile type = Endpoint protectiono    Settings > FileVault > FileVault = Enable·        
  • Windows 10:  Profile type = Endpoint protectiono    Settings > Windows Encryption > Encrypt devices = Require 
Encryption readiness TPM status is ready for bitlocker encryption or not

(the device can still be manually encrypted. or through a MDM/Group Policy setting that can be set to allow encrypting without a TPM.)

Encryption status Whether the OS drive is encrypted. It can take up to 24 hours for MEM to report

For Windows devices, this field does not look at whether other drives, such as fixed drives, are encrypted

Status details This field displays information for each applicable error that can be detected. You can use this information to understand why a device might not be encryption ready:


·         The recovery key hasn't been retrieved and stored yet,

·         The user is deferring encryption or is currently in the process of encryption.

·         The device is already encrypted. Device user must decrypt the device to continue.

·         FileVault needs the user to approve their management profile in macOS Catalina and higher.

·         Unknown


·         The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard on the OS volume.

·         The encryption method of the OS volume doesn't match the BitLocker policy.

·         The policy BitLocker requires a TPM protector, or PIN, or Startup Key.

·         Recovery key backup failed.

·         A fixed drive is unprotected.

·         The encryption method of the fixed drive doesn't match the BitLocker policy.

·         To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.

·         Windows Recovery Environment (WinRE) isn't configured.

·         The TPM isn't ready for BitLocker.

·         The network isn't available.

3.4 To view list of Unencrypted devices:

We need to know if the Devices ever backup the recovery keys to Azure AD. Jos Lieben provided the script to generate a report about the devices who have not been escrowed the bitlocker recovery key to Azure AD.

Download the Get-bitlockerEscrowStatusForAzureADDevices.ps1script from Github

4. Compare list and make manually escrow of recovery keys to Azure AD

Use the Excel spreadsheet's comparing feature to make sure no discrepancy between the 2 files.

5. Shutdown MBAM Server and decommission them.

  • Correct any problem with the devices who are missing recovery passwords in Azure AD or MEM
  • Power off the MBAM Server for 2 months (optional),
  • Backup and Remove the MBAM Database.
  • Decommission the MBAM Servers.

I hope the information is useful for your migration plan and deployment.

Thanks for viewing and discussing this topic.


The sample scripts are not supported under any Microsoft standard support program or service. 
The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all
implied warranties including, without limitation, any implied warranties of merchantability or of
fitness for a particular purpose. The entire risk arising out of the use or performance of the
sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or
anyone else involved in the creation, production, or delivery of the scripts be liable for any
damages whatsoever (including, without limitation, damages for loss of business profits,
business interruption, loss of business information, or other pecuniary loss) arising out of
the use of or inability to use the sample scripts or documentation, even if Microsoft has been
advised of the possibility of such damages.


This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.