How does Key Rotation work in the BitLocker Managment feature in ConfigMgr

[anyweb]

Introduction

Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, those updates included Self Service and Help Desk abilities.

In a previous blog post you looked at the Self Service feature for end users and then you looked at the Help Desk feature. But what happens on the client and in the database once the recovery key has been disclosed (via the  Help Desk)? The Recovery Key and Recovery Key ID will rotate.

Note: Disclosing the Recovery Key using Self Service does not cause the key to rotate.

What is Key Rotation

Key rotation allows admins to use a single-use key (via the  Help Desk) for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises in the ConfigMgr Database.

Source – https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

The helps to prevent a rogue Help Desk user from trying to decrypt contents of the computer without permission because once the key is used by the user, it’s rotated and therefore useless.

 

Key Rotation

If you look in SQL with the following query, you can view the recently used recovery key id’s and associated recovery key’s and whether they were disclosed or not via the Disclosed column. Change the CM_P01 to match your own ConfigMgr database name.

/****** Script for SelectTopNRows command from SSMS ******/
SELECT TOP 1000 [Id]
,[LastUpdateTime]
,[RecoveryKeyId]
,[RecoveryKey]
,[Disclosed]
FROM [CM_P01].[dbo].[RecoveryAndHardwareCore_Keys]

 

Once the key has been disclosed, the MBAM agent on the client computer will force it to rotate, and you can see the new recovery id and recovery password on the host below.

 

And that is mirrored in SQL.

 

And you can reveal that change on the client itself via Event Viewer, in the MBAM Operational logs, look for event ID 30.

 

Note: The recovery key will also rotate on devices already encrypted using Bitlocker if they are added to a collection that has Bitlocker Management policies deployed to it. For more information about that see this post.

Related reading

• https://www.niallbrady.com/2019/10/06/how-can-you-use-the-help-desk-feature-when-mbam-is-integrated-within-sccm/
• https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2
• https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25
• On-premises BitLocker management using System Center Configuration Manager
• How can I get BitLocker Recovery Keys from the ConfigMgr database
• How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”
• https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329