Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Aug 13, 2020

What admin role grans permission to view devices' bitlocker recovery keys?

Which of the standard admin roles is required to view bitlocker recovery keys for a device in intune?  

 

 

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor

    Hi Steve,

    One of those should do it!


    Global admins
    Intune Service Administrators
    Security Administrators
    Security Readers
    Helpdesk Admins

    Hope this helps!
    Moe

    • Moe_Kinani's avatar
      Moe_Kinani
      Bronze Contributor
      Hi Steve,

      One of those should do it!

      Global admins
      Intune Service Administrators
      Security Administrators
      Security Readers
      Helpdesk Admins

      Hope this helps!
      Moe
      • Steve Whitcher's avatar
        Steve Whitcher
        Bronze Contributor
        Thanks Moe. I didn't realize at first that access to the keys in Intune was controlled by the AAD administrator roles, I was expecting it to be part of one of the Intune roles.

        FWIW, the Security Reades and Helpdesk Administrator roles do not appear to have access to the recovery keys, based on the permissions listed in the role description. The Cloud Device Administrator role does grant the appropriate permission.

        Hopefully once the Custom Roles permission is expanded to support more permissions, I'll be able to grant only the permission to read the bitlocker keys without everything else that goes with Cloud Device Administrator.
  • Ken Rappold's avatar
    Ken Rappold
    Brass Contributor

    Interesting that we have to use excessive permissions from AAD to allow access to Bitlocker recovery keys. I don't think L1 needs to reset passwords, when they only need to relay the key to a user when needed. However, Helpdesk admin AAD role is the best we can do ATTM it appears.

     

    In addition, the documentation

    Encrypt Windows 10 devices with BitLocker in Intune - Microsoft Intune | Microsoft Docs says "...after Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the encryption report."
    I cannot find it in the Encryption report.
    • ReneZimmermann's avatar
      ReneZimmermann
      Copper Contributor

      Ken Rappold Have you ever found a solution for that?

      I'm also trying to give our service desk guys the ability to retrieve Bitlocker keys out of Intune (Endpoint Manager), but giving almost all "Read" rights with a custom role, they still get an error, as soon as they click on "Recovery keys".

      • Ken Rappold's avatar
        Ken Rappold
        Brass Contributor

        ReneZimmermann - Not thus far and haven't escalated this more than what you see in these posts. I may escalate when/if time allows.

  • nathank99's avatar
    nathank99
    Copper Contributor
    I see this hasn't been updated in a while. Has anyone found a better way to get L1 access to keys without having to assign cloud device admin role?
    • Ken Rappold's avatar
      Ken Rappold
      Brass Contributor

      nathank99 The only change of which I am aware is a private preview feature to provide RBAC for BitLocker keys in Endpoint Manager.

      • Joshua Bines's avatar
        Joshua Bines
        Iron Contributor
        I've found the best way is for L1 to help the owner of the device access the recovery key and provide it to support. The users typically have access to the key but just need some handholding. The trouble is if the device is registered to another user or if they don't have access to another phone/computer but that is typically a rare.
  • miklknudsen's avatar
    miklknudsen
    Copper Contributor
    Really looking forward to have some better options for RBAC role to view BitLocker keys here.

Resources