question

aRookie088 avatar image
0 Votes"
aRookie088 asked aRookie088 commented

Bitlocker Key Rotation

If I have a Bitlocker policy in Intune and the recovery password rotation is turned on for both Azure AD and Hybrid-Joined devices. Now let say a workstation was triggered into recovery mode, and the user was able to grab the key from https://myaccount.microsoft.com and was successful in booting up to Windows. Before the Bitlocker was able to upload a new set of Recovery Key to Azure AD, the workstation died and had to reboot. It boots back to recovery mode.
Now, will the recovery mode still take the old recovery key? If so, why? Because to my understanding, the key is one-time use only. Or it needs the new recovery key that Bitlocker generated before it died and rebooted? And as mentioned this was not uploaded to Azure AD and does that mean that we won't be able to recover his drive?

Any insights on this will be great.

Thanks

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
1 Vote"
TeemoTang-MSFT answered aRookie088 commented

Failed to upload doesn't influence the usage of new BitLocker recovery.
Once BitLocker generate a new recovery key after re-excryption, the new key must taking the place of old key, old recovery cannot unlock/decrypt the current BitLocker.
About your concern "the BitLocker Key Rotation", it is another concept.
Key rotation allows admins to use a single-use key (via the Help Desk) for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises in the ConfigMgr Database.
This helps to prevent a rogue Help Desk user from trying to decrypt contents of a BitLockered computer without permission, because once the Recovery Key is given to the user via the Help Desk, it is then rotated on the Client and the new Recovery Key and Recovery Key ID are transferred to the Server, and therefore the old Recovery key becomes useless.

Source:
https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-expands-bitlocker-management-capabilities-for-the/ba-p/544329

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI TeemoTang, thank you again.

0 Votes 0 ·
TeemoTang-MSFT avatar image
1 Vote"
TeemoTang-MSFT answered TeemoTang-MSFT edited

BitLocker recovery key was generated when we enabled BitLocker, a BitLocker recovery key can be saved in multiple places, such as ADDS, Microsoft account, another drive or a printed file.
BitLocker recovery key is not once-only use, it can be used for recovery mode constantly, unless user decrypt drive and re-encrypt drive. Because re-encrypt drive with BitLocker will generate the new recovery key, the old one will be useless.
Therefore, as long as we don’t decrypt current drive, the BitLocker recovery key which generated when we enable this BitLocker will always be useful.

More information here:
BitLocker recovery guide (Windows 10) - Microsoft 365 Security | Microsoft Docs
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you @TeemoTang-MSFT. Then how does the BitLocker Key Rotation work? With this setting, what if the workstation fails to upload the new recovery key to Azure AD after a recovery incident, Will the new key take precedence over the old key? Or the new key will not be activated until and unless it is stored in Azure AD?

Thanks

0 Votes 0 ·