I’m feeling extra inspired this month so I’m plublishing another post. If you missed the previous post about barcode scanning it can be found here: https://uem4all.com/2021/04/05/membarcodescanpowerapps/
The topic for this post is about rotating Bitlocker keys either by device or in bulk. This is an ask we receive quite often and currently can be initiated programmatically utilizing Microsoft Graph, however let’s take it a step further by utilizing Power Apps and Power Automate rotate Bitlocker keys.
Let’s get started!
Requirements
- Microsoft Intune
- Microsoft Graph
- Microsoft Power Apps (optional)
- Microsoft Power Automate
Service Desk Power App update (based on previous post)
I published a service desk Power App back in September 2020 and for detail please visit: MEM custom service desk portal with Power Apps and Power Automate – Mobility, Management, & Security (uem4all.com)
I updated it with a Bitlocker key rotation feature where it calls a new Power Automate flow to rotate the Bitlocker key for a selected device.
The flow to rotate the Bitlocker key for a selected device is extremely simple. The trigger is PowerApps and the HTTP call uses the device ID attribute from the selected device in the Service Desk Power App.
Reference the previous blog post on how to build the Service Desk app in Power Apps and add the “Rotate Bitlocker key” element to the app as shown below:
For the OnSelect property for the circular arrow add the following:
Set(DeviceID,Gallery3.Selected.id);'Rotatebicklockerkey-servicedesk'.Run(DeviceID)
Bulk Bitlocker key rotation or on a schedule
To rotate Bitlocker keys for devices in bulk, create the following Power Automate.
For the trigger either use a manual or recurrence trigger if you’d like to schedule Bitlocker key rotations.
We then need to query only Windows devices using HTTP action. Add the following to the URI:
https://graph.microsoft.com/v1.0/devicemanagement/manageddevices?$select=deviceName,id,operatingSystem&$filter=startsWith(operatingSystem,'Windows')
To rotate the Bitlocker keys use the value from Parse JSON action and cycle through each device by using Apply to each with an HTTP action. For the HTTP action the method is POST and utilize the following for the URI:
https://graph.microsoft.com/beta/deviceManagement/managedDevices/@{items('Apply_to_each')?['id']}/rotateBitLockerKeys
Note: “id” is the deviceID from the Parse JSON action.
Conclusion
That’s it! We updated the service desk Power App with an action to rotate the Bitlocker key for a particular device and walked through Bitlocker key rotation in bulk utilizing Power Automate.
For the month of May we’ll dive into Power Automate Desktop (PAD) and do some creative things, stay tuned!
Appendix
Bitlocker key management FAQ: BitLocker Key Management FAQ (Windows 10) – Microsoft 365 Security | Microsoft Docs
Mobility, Management, & Security 