By: Aasawari Navathe – Sr. Product Manager | Microsoft Intune
With the May (2405) service release of Microsoft Intune, users are now able to access the BitLocker recovery key of their Intune enrolled devices using the Intune Company Portal website. This enables users to self-resolve, rather than contacting their helpdesk, when they're locked out of their machines and need to access their BitLocker recovery key.
We’re working to add the ability to view the BitLocker recovery key from the native Company Portal apps on other platforms like Apple iOS/iPadOS and macOS. The Intune Company Portal website can be used on other platforms.
After opening the Intune Company Portal website, navigate to the Devices node, select the enrolled Windows device, and click “Get recovery key” under Device Encryption. If there are multiple recovery keys found, click “Show recovery key” under the one with the key ID that is needed. Users may then use this recovery key to complete the recovery process on their enrolled Windows device without reaching out to the helpdesk.
We heard the customer feedback on what level of control IT admins need within their organization for this scenario. While Intune helps configure policy to define the escrow of BitLocker recovery keys, these keys are stored within Entra ID. There are three capabilities within Entra ID that are helpful to use in conjunction with self-service BitLocker recovery key access for users.
This setting determines if users can self-service to recover their BitLocker key(s). The default value is 'No' which allows all users to recover their BitLocker key(s). 'Yes' restricts non-admin users from being able to see the BitLocker key(s) for their own devices if there are any. Learn more: Manage devices in Microsoft Entra ID using the Microsoft Entra admin center.
With Conditional Access policy (CA), you can restrict the access to certain corporate resources if a device is not compliant with the “Require compliant device” setting. If this is set up within your organization, and a device fails to meet the Compliance requirements configured in the Intune Compliance policy, that device cannot be used to access the BitLocker Recovery Key as it is considered a corporate resource which is access controlled by CA.
In this case, you may see an error like below which suggests using a compliant device for recovery key access.
With the 2405 release, get started on this new capability for user self-service BitLocker recovery key access with the Intune Company Portal website!
Let us know your thoughts or if you have any questions, by leaving a comment below or reach out to us on X @IntuneSuppTeam.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.