Bitlocker - Next Steps
In light of the massive Crowdstrike outage on the July 19th, I noticed significant chatter about Bitlocker and suggestions being thrown around to just export the keys in Excel or put them in a file in plain text.
My eye twitched a bit writing this next sentence…
I think it goes without saying, please do not do that.
Now, with a crisis on our hands, I absolutely understand the knee-jerk of just needing to get our users up and running as quickly as possible.
If you did export those keys, now what?
Rotate them!
Bitlocker Key Rotation
Why rotate your Bitlocker keys?
Quite a few reasons, but the biggest reason is that if your entire IT team was busy getting users up and running, and likely unprepared to handle the sheer scale of users needing Bitlocker keys, and/or IT teams were not aware of the self-service options available to users, this renders the integrity of those Bitlocker keys questionable, at best.
How to rotate? ‧₊˚🖇️✩ ₊˚🎧⊹ ♡
If you're in the camp of having already exported your BitLocker keys, Daniel Bradley’s blogpost How to Rotate BitLocker keys with Microsoft Graph PowerShell has one of the most straightforward methods to batch rotate all keys for devices that have their keys escrowed in Entra.
Dude, where are my Bitlocker keys?
What if you don't know if your devices Bitlocker keys are in Entra?
Nicholaj wrote a great post about this exact scenario back in 2021: Get Intune devices with missing BitLocker keys in Azure AD
Note: to utilize this method, you’ll want to update these lines of his PowerShell script:
Line 175:
$TokenExpireMins = ([datetime]$Headers["ExpiresOn"].ToUniversalTime() - $UTCDateTime).Minutes
Line 335:
$BitLockerRecoveryKeys = Invoke-MSGraphOperation -Get -APIVersion "v1.0" -Resource "informationprotection/bitlocker/recoveryKeys?`$select=id,createdDateTime,deviceId" -Headers $AuthenticationHeader -Verbose:$VerbosePreference
Rotation Options
▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄
Schedule rotation! ‧₊˚🖇️✩ ₊˚🎧⊹
Rotate keys monthly? Don't mind if I do!
Steve's video How to automatically rotate your BitLocker recovery keys every 30 days covers Intune remediations and Azure Automation to rotate Bitlocker keys every 30 days.
Client-driven rotation ✩ ♬ ₊˚.✩
Oliver wrote a fantastic post Enable BitLocker Key Rotation for Intune managed devices going over all of the mechanisms at play during client-driven Bitlocker key rotation. Highly recommend reading!
Closing thoughts
Thank you to the fantastic community that stepped up!
Given all of the conversation that I’m seeing online about this massive outage, I can’t thank enough all of the IT teams that immediately jumped into action to get the world up and running again, and the members of the community that contributed deeply helpful solutions to sort out the various states of BitLocker compliance that many found themselves in.
