Why protecting BitLocker Recovery key retrieval is so important..

-

Majority of organizations will allow end users to retrieve the BitLocker recovery key through self service. While this certainly eases the manageability and cuts down on support calls, the question to ask here is whether it is secure or not. To answer that, let me play out a scenario first.

Let's say a bad actor has got access to a company device and is able to initiate a reboot into advance startup. Now a device that is encrypted with BitLocker protection, will be presented with the screen to enter the recovery key. At this stage one can retrieve the recovery key either through self service portal like https://account.microsoft.com/devices/recoverykey or reach out to service desk. Now what if the attacker has been successful in stealing the credentials of the owner of the device? In the absence of necessary security policies in place, the attacker can retrieve the recovery key from https://account.microsoft.com/devices/recoverykey, or even Entra admin portals by themselves if allowed. Once recovery key is entered, the device can easily be booted into advance startup and the attacker can tamper with the configuration on the device like disabling the Defender components which will not be possible in full OS mode when managed and has Tamper protection enabled. How do I know this? Because I was able to carry out this exact scenario on a test machine and it made me re-evaluate the need for BitLocker key retrieval process in general. 

To give some more context, my test device lost connectivity to internet due to rouge Defender FW policies. Not being able to fix this in full OS mode, I circumvented the problem by booting into advanced startup and disabling the Defender components to check if that gets the device back on the internet, which it eventually did and I was then able to fix the issue by applying correct set of policies using Intune.

Now that we have established the context, let's look at the various ways through which one can implement controls around the retrieval of the BitLocker recovery key.

Self-service Recovery

This is the most used method of retrieving the BitLocker recovery key and also the most vulnerable option in my opinion. The ability to retrieve is controlled through a setting under Entra -> Devices -> Device Settings 'Restrict users from recovering the BitLocker key(s) for their owned devices' as shown below -


When set to 'No', the user can access the recovery key.


When set to 'Yes' (Recommended) will then disallow the end user from retrieving the recovery key themselves.


Retrieving through Admin Portal by non-administrators

While Admin portals are meant to be used by administrators assigned with relevant Entra roles, to eliminate the possibility of non-admin users being able to access admin portals, consider implementing a Conditional Access policy to control the access. Here are the steps -

1. Navigate to Microsoft Entra admin center > Protection > Conditional Access.
2. Select Create new policy.
3. Give the policy a name.
4. Under Assignments, select Users or workload identities.
5. Under Include, select All users and exclude all 66 Admin Directory roles. Note: If you manage Entra roles through PIM, then you may have to exclude the administrator user accounts directly otherwise they may not be able to access the PIM portal to activate the Entra role in the first place. Also consider using break-glass accounts to ensure you don't get locked out of the tenant.


6. Under Target resources, select Microsoft Admin Portals.


7. Under Grant controls, select Block access.


Now when a non-admin user tries to access admin portals to retrieve the BitLocker recovery key, their access will be blocked.


Restrictions on retrieval by Administrators

When Microsoft announced last year the ability to create custom roles using permissions for device based objects and managing devices through administrative unit, it extended the possibilities even further for device management at a granular level.

In relation to imposing restrictions on retrieving BitLocker recovery keys by Administrators, we are going to achieve this through a combination of a custom role in Entra with only BitLocker key read permissions, and a dynamic Administrative Unit.

Create Entra ID Security Group

An Entra ID group will need to be created which will support Entra role assignments.

1. Under All groups in Entra admin center, create a new group.
2. Make sure to select 'Yes' against Microsoft Entra roles can be assigned to the group.


Create a custom role

1. To create a custom role using device permissions, go to Roles and admins under Entra, then select New Custom Role and give a name.

2. Select only the BitLocker permissions for this role


Add Administrative Unit

1. Navigate to Admin Units under Entra ID, click Add and give a name.



2. Hit review & create.
3.Once the AU created, open the properties to configure the dynamic device query. You can set it to pull in devices based on specific department or region for management at a granular level. For all intent and purposes, I am just pulling my lab devices.

After the evaluation is done, devices should get added dynamically as members.


Add Assignments for Roles & administrators

1. Assign the custom BitLocker role to the Entra ID group created earlier.

2. Make the assignment type as Eligible.



Now when an admin tries to access the admin portal to retrieve the BitLocker keys for the devices targeted under the AU, the information will not be visible unless the custom Entra role is activated.


You can see that BitLocker keys (Preview) is not visible.


After the Entra role is activated, BitLocker keys will be visible for the device in scope of the AU under the option BitLocker keys (Preview).



Final thoughts..

When it comes to maintaining high security posture, there is no secret formula or a single-solution-fits-all kind of configuration. What organizations should be looking at is how best they can secure the environment by adopting different combinations of settings. While self service retrieval for BitLocker recovery key may sound like an efficient use of service desk calls, it is not ideal and I feel the retrieval process should be confined to only vetted\selected individuals\teams in the organization.

Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more