How can I securely share BitLocker keys with users in my organization? Currently, our help desk just sends the keys via Teams chat, but I'm looking for a more secure method. We've got around 30,000 devices managed through Intune, and we're seeing an increase in calls for recovery keys, possibly due to a recent SecureBoot certificate update. One idea I had was to use expiring QR codes, but I'm not sure how safe that is. Am I overthinking this situation?
5 Answers
It’s a good practice to just rotate the key after the user successfully logs back in. Honestly, they probably write it down while you’re reading it out anyway, so better safe than sorry!
Right! I tell users upfront that it's a one-time key, so they’re aware.
You might want to think about setting up a BitLocker self-service recovery portal. It allows users to unlock their devices themselves without needing to contact support every time.
That could work, but if they’re using personal devices, it complicates things.
Consider using Bitwarden Send if you have a password manager that offers that feature. It's a more secure method and gives you visibility without relying on third-party sites.
You might be overthinking it a bit. Instead of complicating the sharing process, just share the key and change it later. Users often jot it down anyway, so rotating it right after they use it is a solid strategy.
Exactly! We always change it after they've recovered.
Honestly, just send the key through Teams or Slack and rotate it once the user is back online. It's straightforward and works.
Totally agree, rotating the key is key after it’s used!
Yeah, our remote monitoring system fetches the keys for us with no hassle.
Exactly, that’s the protocol we follow too—helps keep things secure.