Forum Discussion
What admin role grans permission to view devices' bitlocker recovery keys?
Which of the standard admin roles is required to view bitlocker recovery keys for a device in intune?
Interesting that we have to use excessive permissions from AAD to allow access to Bitlocker recovery keys. I don't think L1 needs to reset passwords, when they only need to relay the key to a user when needed. However, Helpdesk admin AAD role is the best we can do ATTM it appears.
In addition, the documentation
https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices says "...after Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the encryption report."
I cannot find it in the Encryption report.
Ken Rappold Have you ever found a solution for that?
I'm also trying to give our service desk guys the ability to retrieve Bitlocker keys out of Intune (Endpoint Manager), but giving almost all "Read" rights with a custom role, they still get an error, as soon as they click on "Recovery keys".
ReneZimmermann - Not thus far and haven't escalated this more than what you see in these posts. I may escalate when/if time allows.
- Bitlocker keys are not a part of Intune, but of AAD. So you need an AAD role for them to see the keys. Helpdesk admin is one of the ways to do it
