Windows-itpro-docs: AzureAD BitLocker Key Rotation

@Jeff-Jerousek I'm not sure I follow. Do you mean the recovery key?

MBAM regenerates the recovery key after it's used. Does the key regenerate in Azure AD after it's used, or does it stay the same?

@ericmatenaer @Jeff-Jerousek Thanks for the help. I shared with a SME who says no, the key stays the same. Azure AD doesn't have the key rotation feature.

@Jeff-Jerousek @ericmatenaer I am passing along another suggestion from a SME here at Microsoft, and he said he will try to fwd the specific event, so I'll add that after he sends:

In Windows 10 there is an event fired if the PC is started with using the recovery key.
With that event fired you can built your own solution to get the key changed after being used.
It is not the same as with MBAM where reading the key from DB is enough for the system to get it recreated, but more than nothing.

On a DC there can be an event logged for accessing the key which can than be used to trigger the client to change the key.
But that is not trivial to solve as this is a very generic event that needs to be filtered and this event occurs very often.

So there ARE possibilities to build your own solution.

But it is correct that AD never forget a recovery key and therefore you may have a lot of keys sometime stored for one PC.
Every key takes about 2kb of data.

@Jeff-Jerousek @ericmatenaer Here is the follow up info from our SME Marcus:

We can offer to “built” something a bit like what MBAM is able to perform.

From Windows 8 (less version was not available to me to test with), in the System Log of an up and running OS the an event with ID 24652 from source Bitlocker-Driver is fired in case a system got started using the recovery screen.

The solution to change a used recovery key can be fulfilled following the these steps.

• Create a task that will start after a successful login
  With that task run a script that will search the eventlog for the above named Event ID, take the time when it occurred.
  Search for the last registered reboot of the system (event id 12 from source Kernel-General)
  If the reboot is younger than the bitlocker event, do nothing, else do execute the following lines of powershell script to get the recovery key changed for AD joined PCs (as well as for AAD joined PCs).

$drive = Get-BitLockerVolume | ?{$_.KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'}} | select -f 1
$key = $drive | select -exp KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'} | select -f 1
Backup-BitLockerKeyProtector $drive.MountPoint $key.KeyProtectorId

This script should write a new key directly to what the PC is joined to

One necessary point to be sure about.
Without the GPO in place that allows the PC to save its recovery key to AD, the script will tell you every time it was successful, but does nothing.

In case the last line of generating and storing key in AD/AAD is NOT successful, please change the powershell command to this statement.

Manage-bde -protectors -adbackup (or aadbackup for azure, with Win10 only!) $drive.MountPoint -id $key.KeyProtectorId

In the meantime BitLocker key rotation is available if Windows 10 version 1909 is used. Here an article to see it in action: https://www.scconfigmgr.com/2019/11/20/enable-bitlocker-key-rotation-for-intune-managed-devices/