Rotate BitLockerKey

Skript Beschreibung

**Zusammenfassung**: Triggers BitLocker Key Rotation.

Forces the device to generate a new key and backup to Intune.
Requires 'DeviceManagementManagedDevices

Skript Infos

Autor Mattia Cirillo

Version 1.0

Sprache PowerShell

GitHub

62_Rotate-BitLockerKey.ps1

<#
.SYNOPSIS
    Triggers BitLocker Key Rotation.
    
.DESCRIPTION
    Forces the device to generate a new key and backup to Intune.
    Requires 'DeviceManagementManagedDevices.ReadWrite.All' permission.

.NOTES
    File Name: 62_Rotate-BitLockerKey.ps1
    Author: Mattia Cirillo
    Version: 1.0
#>

param(
    [Parameter(Mandatory=$true)]
    [string]$DeviceName
)

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All"

$Device = Get-MgDeviceManagementManagedDevice -Filter "deviceName eq '$DeviceName'"
if ($Device) {
    # Check if Windows
    if ($Device.OperatingSystem -like "*Windows*") {
        # Action: WindowsDefenderUpdateSignatures also exists, but for BitLocker rotation:
        # Note: Graph API for direct rotation is specific or triggered via setting.
        # Often implemented via a custom command or script execution. 
        # Standard Intune action:
        # No direct 'Rotate-MgBitlocker' cmdlet in standard module yet, usually done via
        # Invoke-MgDeviceManagementManagedDeviceWindowDeviceProtectionState
        
        Write-Warning "BitLocker rotation trigger via Graph is limited. Initiating via pseudo-command if supported."
        # This is often done via 'windowDeviceMalwareState' or similar actions. 
        # Actually: 'rotateBitLockerKeys' action on the managedDevice.
        
        $Url = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$($Device.Id)/rotateBitLockerKeys"
        Invoke-MgGraphRequest -Method POST -Uri $Url
        Write-Host "Rotation command sent." -ForegroundColor Green
    }
}