Forum Discussion
What admin role grans permission to view devices' bitlocker recovery keys?
Which of the standard admin roles is required to view bitlocker recovery keys for a device in intune?
- Hi..
I came up with an alternative solution to this problem...
When you are interested you can find the blog on my website. (it still needs some work... but I decided to post it already)
https://call4cloud.nl/2021/05/the-texas-chain-saw-bitlocker-remediations/- Ken RappoldBrass Contributor
Rudy_Ooms_MVP - Interesting. Thank you for sharing.
- Moe_KinaniBronze Contributor
Hi Steve,
One of those should do it!
Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins
Hope this helps!
Moe- Moe_KinaniBronze ContributorHi Steve,
One of those should do it!
Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins
Hope this helps!
Moe- Steve WhitcherBronze ContributorThanks Moe. I didn't realize at first that access to the keys in Intune was controlled by the AAD administrator roles, I was expecting it to be part of one of the Intune roles.
FWIW, the Security Reades and Helpdesk Administrator roles do not appear to have access to the recovery keys, based on the permissions listed in the role description. The Cloud Device Administrator role does grant the appropriate permission.
Hopefully once the Custom Roles permission is expanded to support more permissions, I'll be able to grant only the permission to read the bitlocker keys without everything else that goes with Cloud Device Administrator.
- Ken RappoldBrass Contributor
Interesting that we have to use excessive permissions from AAD to allow access to Bitlocker recovery keys. I don't think L1 needs to reset passwords, when they only need to relay the key to a user when needed. However, Helpdesk admin AAD role is the best we can do ATTM it appears.
In addition, the documentation
Encrypt Windows 10 devices with BitLocker in Intune - Microsoft Intune | Microsoft Docs says "...after Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the encryption report."I cannot find it in the Encryption report.- ReneZimmermannCopper Contributor
Ken Rappold Have you ever found a solution for that?
I'm also trying to give our service desk guys the ability to retrieve Bitlocker keys out of Intune (Endpoint Manager), but giving almost all "Read" rights with a custom role, they still get an error, as soon as they click on "Recovery keys".
- Ken RappoldBrass Contributor
ReneZimmermann - Not thus far and haven't escalated this more than what you see in these posts. I may escalate when/if time allows.
- nathank99Copper ContributorI see this hasn't been updated in a while. Has anyone found a better way to get L1 access to keys without having to assign cloud device admin role?
- Ken RappoldBrass Contributor
nathank99 The only change of which I am aware is a private preview feature to provide RBAC for BitLocker keys in Endpoint Manager.
- Joshua BinesIron ContributorI've found the best way is for L1 to help the owner of the device access the recovery key and provide it to support. The users typically have access to the key but just need some handholding. The trouble is if the device is registered to another user or if they don't have access to another phone/computer but that is typically a rare.
- miklknudsenCopper ContributorReally looking forward to have some better options for RBAC role to view BitLocker keys here.