Upload Bitlocker keys to Azure AD

Bitlocker is the Microsoft technology that allows you to full encrypt your Windows PC hard disk. This is a good thing as it provides additional security and protection for that device, especially if that device ever gets lost or stolen. Typically, Bitlocker will use the Trusted Platform Module (TPM) chip on your PC to provide the encryption key for BitLocker. This means that the user doesn’t have to type in a password to unlock their drive for use. Now having an automatically managed key raises a question, what happens if you actually need that key? If everything is automated and I never see the key how can I get access to it if needed? If, say, the original PC died and I wanted to recover the original encrypted drive how would I recover? To do that, you’d need the encryption key.

You can manually backup you BitLocker Recovery key to a file or USB drive however, if your device is Azure AD joined then that Recovery Key should be saved directly into Azure AD. Here’s how you check this.

SNAGHTML1d8570c5

If you are using something Microsoft 365 Business and Intune navigate to Intune inside the Azure portal. Select Devices.

image

Select All Devices.

image

Select the PC in question from the list.

image

Now select the Recovery keys option.

image

On the right you should see the Recovery keys listed. You’ll note here that I don’t see the expected BitLocker Key.

image

If you don’t see the Recovery Key for your device go to that device and open BitLocker management on your PC. Select the option to Back up your recovery key as shown.

image

Then select the option to Save to your cloud account as shown. This should then upload the Recovery Key to Azure AD, provided you have an Azure AD joined machine first of course.

image

If you return to the device in Intune and refresh the display, you should now see the Recovery key for you device as shown above.

image

If you do not have access to the Intune portal, perhaps because you are not an administrator, simply navigate to:

https://account.activedirectory.windowsazure.com

and login with your Microsoft 365/Office 365 credentials and view your profile. You should then see any registered device plus the option to get the BitLocker keys as shown. Remember BitLocker is for Windows devices, not iOS or Android.

Even though Azure AD joined machines should save BitLocker keys automatically, I’d suggest you go and have a look and make sure that they are indeed actually there! Best be sure I say.

How I protect my parents using Microsoft 365

boy-car-child-1266014

I’m sure there are many of us out there that continue to provide free unpaid support for our family members. Well, many it isn’t so much free, as a ‘barter’ arrangement in that every time I’m on site I get fed. That type of compensation may of course vary in your particular situation but many IT Pros are expected to support our own family as they use technology. That can be extremely challenging if you don’t do it right. Thanks to the tools available in the Microsoft Cloud, you can quite easily!

One of the benefit of doing security right for your family is that it is going to drastically reduce the amount of support calls you receive. So here’s some of the stuff I do:

1. Everyone has Microsoft 365 Business

This one license ensures that they have commercial grade email and the latest version of Office on their desktops. It ensures that they have both Safe Links and Safe Attachments for their mailboxes to protect against inbound malware and viruses.

2. Everyone runs the latest version of Windows 10 Professional on their desktop

Windows Home has lots of limitations and does not allow connection to Azure AD. Thus, all machines are Windows 10 Professional and all machines update automatically.

3. All machines are joined to Azure AD

I don’t want to have a traditional on premises domain controller to manage these Window 10 machine. By joining all the Windows 10 Professional workstations directly to Azure AD I get the management, security and control that I want all from the cloud.

4. All machines have Intune compliance and configuration policies applied

image

Thanks to Intune, which is part of Microsoft 365 Business, at a glance I can ensure all the machines, including my own, are compliant and configured appropriately.

5. All machines only use Windows Defender as their AV

Windows Defender is the best solution for AV in my experience. I can manage many settings thanks to Intune, although I would like some more I would admit, but I have never had an viruses or malware issues wince ditching third party AV providers a number of years ago. I am considering potentially upgrading to Windows Defender ATP but it is probably not worth the investment given the other steps I am already taking.

6. All machines are covered by Azure AD Premium P1

Azure AD Premium P1 is an add on to Microsoft 365 Business but has a number of very, very handy security features that I use to keep everyone safe.

7. Conditional access is limiting access to devices via IP address

One of the features that Azure AD Premium P1 provides is the ability to set conditional access policies. I have restricted access to my parents logins to be ONLY available on two unique IP addresses, theirs and mine. This means that if they were phished and gave up their logins a remote user would be prevented from logging in thanks to these conditional access policies as they are not connecting from these allowed IP addresses.

In my own personal cases, I also use conditional access policies but I have them set a little broader, typically limited to allowing access just from Australia. If I travel, I need to temporarily adjust the policy to accommodate where I’ll be and then set it back to just Australia when I return.

8. All POP and IMAP access has been disabled to all mailboxes

image

The most common way that random bad actors on the Internet are trying to gain access to accounts is using IMAP and POP3 as you can see from a recent log above. Conversely, all Microsoft 365 mailboxes have both POP3 and IMAP enabled for all mailboxes by default unfortunately. No user needs to access mail via old protocols and thus it is disabled across the tenant.

9. Basic authentication has been disabled on the tenant

Because I have modern devices and software connecting to my information, as I have said before:

Disable basic auth to improve Office 365 security

‘nuff said.

10. All accounts have Multi Factor enabled

All accounts have the requirement for MFA on them. Now, my parents don’t have smart phones or devices other than their PC’s, so how do they access their accounts using MFA? Well, they actually don’t! See item 11 as to how I achieve this.

11. Trusted IPs have been enabled

Once again, thanks to magic of Azure AD Premium P1, I am able to implement Trusted IPs. This means that when a login request comes from a configured Trusted IP the user will not be prompted for MFA even if the account requires it. Thus, thanks to the locations I have already set up with Conditional Access I can also use these same IP addresses to configure Trusted IPs for my parents logins. This means, that their accounts ARE protected by MFA but since they are always logging in from a single IP address that is now trusted, they WON’T be asked for MFA. This, makes it easy on them and hard on the bad guys.

12. I have Office 365 Cloud App Discovery

Again, thanks to the wonders of Azure AD P1 I have Cloud App Discovery which enables me a far more granular logging of events in my tenant. I can see exactly what my parents are actually doing.

I’ve talked about the benefits of Cloud App Security before:

A great security add on for Microsoft 365

and recommend you have it.

13. All machines use password-less Windows Hello logins

All the machines are using Windows Hello, either biometric or a PIN to access the machines. No complex passwords to remember, just a simple PIN number or just sitting in front of the machine now gives my parents access to their desktops. It couldn’t be easier and yet secure.

There are a lot more actions I take on my production tenant to ensure it is secure but the above items are the ones that most affect and protect my parents and their information. As you can see, via the implementation of Microsoft Cloud technologies I have made it both super secure and super easy for them. In most cases they don’t even realise what I’ve done, and that’s the way it should be.

Now, if I can do this for my parents, why are you not doing the same for your business users? Eh?