Home

Audit Logs for Accessing BitLocker Keys escrowed to Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-251575%22%20slang%3D%22en-US%22%3EAudit%20Logs%20for%20Accessing%20BitLocker%20Keys%20escrowed%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251575%22%20slang%3D%22en-US%22%3E%3CP%3EEscrowing%20BitLocker%20recovery%20keys%20to%20Azure%20AD%20is%20great%20functionality%20but%20I%20have%20been%20asked%20to%20find%20an%20audit%20trail%20when%20a%20user%20or%20administrator%20accesses%20the%20recovery%20keys.%20The%20IT%20Security%20function%20at%20an%20organization%20that%20I%20am%20working%20with%20is%20concerned%20that%20a%20malicious%20insider%20could%20misuse%20the%20recovery%20keys%20to%20decrypt%20drives.%20They%20want%20to%20track%20when%20a%20Recovery%20Key%20is%20viewed%20in%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20conducted%20some%20experiments%20with%20administrator%20and%20end%20user%20accounts%20but%20I%20did%20not%20see%20any%20audit%20log%20entries%20in%20the%20Azure%20AD%20audit%20log.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20audit%20log%20entries%20created%20for%20BitLocker%20Recovery%20Key%20escrow%20and%20where%20would%20I%20find%20the%20audit%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-251575%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ebitlocker%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewindows%2010%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Andrew Matthews
Contributor

Escrowing BitLocker recovery keys to Azure AD is great functionality but I have been asked to find an audit trail when a user or administrator accesses the recovery keys. The IT Security function at an organization that I am working with is concerned that a malicious insider could misuse the recovery keys to decrypt drives. They want to track when a Recovery Key is viewed in Azure AD.

 

I conducted some experiments with administrator and end user accounts but I did not see any audit log entries in the Azure AD audit log.

 

Are audit log entries created for BitLocker Recovery Key escrow and where would I find the audit logs?

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies