What admin role grans permission to view devices' bitlocker recovery keys?

Bronze Contributor

Which of the standard admin roles is required to view bitlocker recovery keys for a device in intune?  

 

 

22 Replies

Hi Steve,

One of those should do it!


Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe

Hi Steve,

One of those should do it!

Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe
Thanks Moe. I didn't realize at first that access to the keys in Intune was controlled by the AAD administrator roles, I was expecting it to be part of one of the Intune roles.

FWIW, the Security Reades and Helpdesk Administrator roles do not appear to have access to the recovery keys, based on the permissions listed in the role description. The Cloud Device Administrator role does grant the appropriate permission.

Hopefully once the Custom Roles permission is expanded to support more permissions, I'll be able to grant only the permission to read the bitlocker keys without everything else that goes with Cloud Device Administrator.

Interesting that we have to use excessive permissions from AAD to allow access to Bitlocker recovery keys. I don't think L1 needs to reset passwords, when they only need to relay the key to a user when needed. However, Helpdesk admin AAD role is the best we can do ATTM it appears.

 

In addition, the documentation

Encrypt Windows 10 devices with BitLocker in Intune - Microsoft Intune | Microsoft Docs says "...after Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the encryption report."
I cannot find it in the Encryption report.

@Ken Rappold Have you ever found a solution for that?

I'm also trying to give our service desk guys the ability to retrieve Bitlocker keys out of Intune (Endpoint Manager), but giving almost all "Read" rights with a custom role, they still get an error, as soon as they click on "Recovery keys".

@ReneZimmermann - Not thus far and haven't escalated this more than what you see in these posts. I may escalate when/if time allows.

Bitlocker keys are not a part of Intune, but of AAD. So you need an AAD role for them to see the keys. Helpdesk admin is one of the ways to do it

@Thijs Lecomte - Agree, but the documentation states "

... you can view and manage BitLocker recovery keys when you view the encryption report. ... "

My input here is the data in the report should be made available via an RBAC permission. At a minimum, the Help Desk Role should be able to view the report and bitlocker recovery keys within.

@Thijs Lecomte and overpermissioned when all we need is L1 to access BitLocker keys for users.

This is real pain.
especially when you have scopes separation in Endpoint Manager and you use RBAC to separate offices equipment.
Of course i cannot grant helpdesk admins on AAD.... that definitely not LEAST Privilege.
That AAD issue BTH. There is no possible to assign role to scope ... there is no scopes at all.

In order to fully solve this issue, we need to have devices support in AU with custom roles. Let's hope it's here sooner rather than later
They do have the helpdesk role available for AU but we just need to the ability to add the devices which will come in time i'm sure :)
Hi..

I came up with an alternative solution to this problem...
When you are interested you can find the blog on my website. (it still needs some work... but I decided to post it already)

https://call4cloud.nl/2021/05/the-texas-chain-saw-bitlocker-remediations/

@Rudy_Ooms_MVP - Interesting. Thank you for sharing.

I see this hasn't been updated in a while. Has anyone found a better way to get L1 access to keys without having to assign cloud device admin role?

@nathank99 The only change of which I am aware is a private preview feature to provide RBAC for BitLocker keys in Endpoint Manager.

I've found the best way is for L1 to help the owner of the device access the recovery key and provide it to support. The users typically have access to the key but just need some handholding. The trouble is if the device is registered to another user or if they don't have access to another phone/computer but that is typically a rare.