Forum Discussion
YellowKey BitLocker Exploit
Hi All
I see MS have updated the post and provided a script.
Could someone please clarify the following:
- Does running the script mitigate / fix the vulnerability?
- Do we still need to set BitLocker PIN's?
- Do we still need to set BIOS's PIN's?
- Do we still need to disable WinRE?
- What are the settings for deploying this script via PowerShell via Intune?
- Does anyone know how to compile an Intune remed script?
Info appreciated
Stuart
The script appears to perform the same tasks that were listed for manual remediation in the previous version of the article, so it should mitigate the vulnerability without having to set BitLocker PINs or disabling WinRE.
The instructions for deploying a PowerShell script with Intune are here: Add PowerShell Scripts to Windows Devices in Microsoft Intune - Microsoft Intune | Microsoft Learn
Thanks for that buddy.
Are we to just deploy this as a standalone PS script then and not as an Intune remediation detect and remed script?
SK
You can deploy it as a standalone PowerShell script if you just want to apply the mitigation once.
However, if you want better control and visibility, I would use Intune Remediations instead:
Detection script: checks if the mitigation is already applied.
Remediation script: runs Microsoft’s mitigation script only when needed.
That way you can monitor which devices are remediated, which ones failed, and re-run the check if needed.
So, for a quick rollout, standalone PS is fine. For production and ongoing validation, I would prefer detect and remediate.
