Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The BitLocker key rotation remote action in Microsoft Intune lets IT admins remotely refresh the recovery key for the operating system drive on BitLocker-encrypted Windows devices. This helps reduce the risk of unauthorized access if a recovery key has been used or potentially exposed.
Key rotation is especially useful in environments where devices are frequently serviced, reassigned, or exposed to support scenarios. For example, if a helpdesk technician shares a recovery key during a support call, you can rotate the key from Intune to ensure it can't be reused.
Requirements
Platform requirements
This remote action supports the following platforms:
- Windows
Role and permission requirements
To run this remote action, use an account with at least one of the following roles:
- Help Desk Operator
- Endpoint Security Manager
- Custom role that includes:
- The permission Remote tasks/Rotate BitLockerKeys
- Permissions that provide visibility into and access to managed devices in Intune (for example, Organization/Read, Managed devices/Read)
How to rotate the BitLocker key from the Intune admin center
- In the Microsoft Intune admin center, select Devices > All devices.
- From the devices list, select a device.
- At the top of the device overview pane, find the row of remote action icons. Select BitLocker key rotation.
- Select Yes to confirm the action.
Reference links
- Configuration service provider (CSP) used to initiate the remote action: BitLocker CSP
- Microsoft Graph API: rotateBitLockerKeys action
- BitLocker overview