How to rotate BitLocker keys with Microsoft Graph PowerShell

BitLocker keys stored in Microsoft Entra and managed with Microsoft Intune can be conveniently rotated without any physical interaction with the end device. The Intune portal also makes the process convenient by enabling the administrator to only press a single button to rotate a key for a single device. Unfortunately, there is no method to bulk rotate keys from the Intune portal. 

In this article, I will show you how to rotate BitLocker keys in Microsoft Intune using Microsoft Graph PowerShell

Requirements

To rotate BitLocker keys in Microsoft Intune, you must have the Intune Administrator role assigned if you are using the Microsoft Intune admin portal. 

Or, if you need to programmatically rotate BitLocker keys using Microsoft Graph, then you also need to consent to the DeviceManagementManagedDevices.ReadWrite.All permission with a Global Administrator and have the Beta Microsoft Graph PowerShell SDK installed. For bulk rotating BitLocker keys, you will also need to consent to the DeviceManagementConfiguration.Read.All permission to read the encryption status of each device.

Rotate BitLocker for a single device

To rotate a BitLocker key for a single device, use the below example and enter the Intune ID of the target device next to the $Id variable.

Connect-MgGraph -Scopes DeviceManagementManagedDevices.ReadWrite.All

$Id = "DEVICE ID HERE"

Invoke-MgGraphRequest `
-Method POST `
-Uri "beta/deviceManagement/managedDevices('$Id')/rotateBitLockerKeys"

Rotate BitLocker for all devices

To rotate the BitLocker keys for all devices in your organisation, you will first get all devices that are encrypted, then within the pipeline, invoke the BitLocker key rotation device action.

Connect-MgGraph -Scopes DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementConfiguration.Read.All

Get-MgBetaDeviceManagementManagedDeviceEncryptionState -All -Filter "encryptionState eq 'notEncrypted'" | ForEach-Object {
    Invoke-MgGraphRequest `
    -Method POST `
    -Uri "beta/deviceManagement/managedDevices('$($_.id)')/rotateBitLockerKeys"
}

View the BitLocker key rotation status

Once the job is queued on each device, the key will only be rotated when the device next checks in with Microsoft Intune, this could be a while if the device is currently offline. To view the status of the request, log in to the Intune admin center and follow the below steps:

  1. Select Devices > Windows.
  2. Select your target device.
  3. View the status of the BitLocker key rotation action under Device action status.
BitLocker key rotation device action
BitLocker key rotation device action

To get a full report of the device action status for all devices, follow the below steps to view the device action report from the Intune admin center:

  1. Select Devices > Monitor.
  2. Select Device Action.
Device action report Intune
Device action report Intune

A similar report can also be creating using Microsoft Graph PowerShell:

$Report = [System.Collections.Generic.List[Object]]::new()

Get-MgBetaDeviceManagementManagedDeviceEncryptionState -All -Filter "encryptionState eq 'notEncrypted'" | ForEach-Object {
    $results = Invoke-MgGraphRequest -Method GET -Uri "/beta/deviceManagement/manageddevices('$($_.id)')?`$select=devicename,deviceactionresults"
    $obj = [PSCustomObject][ordered]@{
        "DisplayName" = $results.deviceName
        "DeviceAction" = $results.deviceActionResults.actionName
        "ActionState" = $results.deviceActionResults.actionstate
        "Last updated" = $results.deviceActionResults.lastUpdatedDateTime
    }
    $report.Add($obj)
}
Device action status report

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply