Skip to content

Commit ae0b5cf

Browse files
JohnDupreyJohnDuprey
authored
Merge pull request KelvinTegelaar#1675 from kris6673/issue4806
Feat: New standard to control BitLocker key recovery for owned devices
2 parents 91cdf53 + 695c91f commit ae0b5cf

File tree

1 file changed

+101
-0
lines changed

1 file changed

+101
-0
lines changed

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBitLockerKeysForOwnedDevice.ps1

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
function Invoke-CIPPStandardBitLockerKeysForOwnedDevice {
2+
<#
3+
.FUNCTIONALITY
4+
Internal
5+
.COMPONENT
6+
(APIName) BitLockerKeysForOwnedDevice
7+
.SYNOPSIS
8+
(Label) Restrict users from recovering BitLocker keys for owned devices
9+
.DESCRIPTION
10+
(Helptext) Controls whether standard users can recover BitLocker keys for devices they own via Microsoft 365 portals.
11+
(DocsDescription) Updates the default user role setting that governs access to BitLocker recovery keys for owned devices. This allows administrators to either permit self-service recovery or require helpdesk involvement through Microsoft Entra authorization policies.
12+
.NOTES
13+
CAT
14+
Entra (AAD) Standards
15+
TAG
16+
"NIST CSF 2.0 (PR.AA-05)"
17+
EXECUTIVETEXT
18+
Ensures administrators retain control over BitLocker recovery secrets when required, while still allowing flexibility to enable self-service recovery when business needs demand it.
19+
ADDEDCOMPONENT
20+
{"type":"autoComplete","multiple":false,"creatable":false,"label":"Select state","name":"standards.BitLockerKeysForOwnedDevice.state","options":[{"label":"Restrict","value":"restrict"},{"label":"Allow","value":"allow"}]}
21+
IMPACT
22+
Medium Impact
23+
ADDEDDATE
24+
2025-10-12
25+
POWERSHELLEQUIVALENT
26+
Update-MgBetaPolicyAuthorizationPolicy
27+
RECOMMENDEDBY
28+
"CIPP"
29+
UPDATECOMMENTBLOCK
30+
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
31+
.LINK
32+
https://docs.cipp.app/user-documentation/tenant/standards/list-standards
33+
#>
34+
35+
param($Tenant, $Settings)
36+
##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'BitLockerKeysForOwnedDevice'
37+
38+
$StateValue = $Settings.state.value ?? $Settings.state
39+
if ([string]::IsNullOrWhiteSpace($StateValue)) {
40+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'BitLockerKeysForOwnedDevice: Invalid state parameter set.' -sev Error
41+
return
42+
}
43+
44+
switch ($StateValue.ToLowerInvariant()) {
45+
'restrict' { $DesiredValue = $false; $DesiredLabel = 'restricted'; break }
46+
'allow' { $DesiredValue = $true; $DesiredLabel = 'allowed'; break }
47+
default {
48+
Write-LogMessage -API 'Standards' -tenant $tenant -message "BitLockerKeysForOwnedDevice: Unsupported state value '$StateValue'." -sev Error
49+
return
50+
}
51+
}
52+
53+
try {
54+
$CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant
55+
} catch {
56+
$ErrorMessage = Get-CippException -Exception $_
57+
Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the BitLockerKeysForOwnedDevice state for $Tenant. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
58+
return
59+
}
60+
$CurrentValue = [bool]$CurrentState.defaultUserRolePermissions.allowedToReadBitLockerKeysForOwnedDevice
61+
$StateIsCorrect = ($CurrentValue -eq $DesiredValue)
62+
63+
if ($Settings.remediate -eq $true) {
64+
if ($StateIsCorrect -eq $true) {
65+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Users are already $DesiredLabel from recovering BitLocker keys for their owned devices." -sev Info
66+
} else {
67+
try {
68+
$BodyObject = @{ defaultUserRolePermissions = @{ allowedToReadBitLockerKeysForOwnedDevice = $DesiredValue } }
69+
$BodyJson = $BodyObject | ConvertTo-Json -Depth 4 -Compress
70+
$null = New-GraphPOSTRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $BodyJson
71+
$ActionMessage = if ($DesiredValue) { 'Allowed users to recover BitLocker keys for their owned devices.' } else { 'Restricted users from recovering BitLocker keys for their owned devices.' }
72+
Write-LogMessage -API 'Standards' -tenant $tenant -message $ActionMessage -sev Info
73+
74+
75+
# Update current state variables to reflect the change immediately if running remediate and report/alert together
76+
$CurrentState.defaultUserRolePermissions.allowedToReadBitLockerKeysForOwnedDevice = $DesiredValue
77+
$CurrentValue = $DesiredValue
78+
$StateIsCorrect = $true
79+
} catch {
80+
$ErrorMessage = Get-CippException -Exception $_
81+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to $StateValue users to recover BitLocker keys for their owned devices: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
82+
}
83+
}
84+
}
85+
86+
if ($Settings.alert -eq $true) {
87+
if ($StateIsCorrect -eq $true) {
88+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Users are $DesiredLabel to recover BitLocker keys for their owned devices as configured." -sev Info
89+
} else {
90+
$CurrentLabel = if ($CurrentValue) { 'allowed' } else { 'restricted' }
91+
$AlertMessage = "Users are $CurrentLabel to recover BitLocker keys for their owned devices but should be $DesiredLabel."
92+
Write-StandardsAlert -message $AlertMessage -object $CurrentState -tenant $tenant -standardName 'BitLockerKeysForOwnedDevice' -standardId $Settings.standardId
93+
Write-LogMessage -API 'Standards' -tenant $tenant -message $AlertMessage -sev Info
94+
}
95+
}
96+
97+
if ($Settings.report -eq $true) {
98+
Set-CIPPStandardsCompareField -FieldName 'standards.BitLockerKeysForOwnedDevice' -FieldValue $StateIsCorrect -Tenant $tenant
99+
Add-CIPPBPAField -FieldName 'BitLockerKeysForOwnedDevice' -FieldValue $CurrentValue -StoreAs bool -Tenant $tenant
100+
}
101+
}

0 commit comments

Comments
 (0)