What admin role grans permission to view devices' bitlocker recovery keys?

%3CLINGO-SUB%20id%3D%22lingo-sub-1587597%22%20slang%3D%22en-US%22%3EWhat%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1587597%22%20slang%3D%22en-US%22%3E%3CP%3EWhich%20of%20the%20standard%20admin%20roles%20is%20required%20to%20view%20bitlocker%20recovery%20keys%20for%20a%20device%20in%20intune%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1587597%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588289%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588289%22%20slang%3D%22en-US%22%3EHi%20Steve%2C%3CBR%20%2F%3E%3CBR%20%2F%3EOne%20of%20those%20should%20do%20it!%3CBR%20%2F%3E%3CBR%20%2F%3EGlobal%20admins%3CBR%20%2F%3EIntune%20Service%20Administrators%3CBR%20%2F%3ESecurity%20Administrators%3CBR%20%2F%3ESecurity%20Readers%3CBR%20%2F%3EHelpdesk%20Admins%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588284%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588284%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Steve%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EOne%20of%20those%20should%20do%20it!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EGlobal%20admins%3CBR%20%2F%3EIntune%20Service%20Administrators%3CBR%20%2F%3ESecurity%20Administrators%3CBR%20%2F%3ESecurity%20Readers%3CBR%20%2F%3EHelpdesk%20Admins%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592876%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592876%22%20slang%3D%22en-US%22%3EThanks%20Moe.%20I%20didn't%20realize%20at%20first%20that%20access%20to%20the%20keys%20in%20Intune%20was%20controlled%20by%20the%20AAD%20administrator%20roles%2C%20I%20was%20expecting%20it%20to%20be%20part%20of%20one%20of%20the%20Intune%20roles.%3CBR%20%2F%3E%3CBR%20%2F%3EFWIW%2C%20the%20Security%20Reades%20and%20Helpdesk%20Administrator%20roles%20do%20not%20appear%20to%20have%20access%20to%20the%20recovery%20keys%2C%20based%20on%20the%20permissions%20listed%20in%20the%20role%20description.%20The%20Cloud%20Device%20Administrator%20role%20does%20grant%20the%20appropriate%20permission.%3CBR%20%2F%3E%3CBR%20%2F%3EHopefully%20once%20the%20Custom%20Roles%20permission%20is%20expanded%20to%20support%20more%20permissions%2C%20I'll%20be%20able%20to%20grant%20only%20the%20permission%20to%20read%20the%20bitlocker%20keys%20without%20everything%20else%20that%20goes%20with%20Cloud%20Device%20Administrator.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1593728%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1593728%22%20slang%3D%22en-US%22%3EYou%20can%20already%20give%20a%20administrator%20view%20permissions%20on%20'devices'%20within%20Intune.%20I%20suppose%20this%20should%20solve%20your%20issue%20as%20well.%3CBR%20%2F%3EThis%20is%20available%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_DeviceSettings%2FRolesLandingMenuBlade%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_DeviceSettings%2FRolesLandingMenuBlade%2Foverview%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1859066%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1859066%22%20slang%3D%22en-US%22%3E%3CP%3EInteresting%20that%20we%20have%20to%20use%20excessive%20permissions%20from%20AAD%20to%20allow%20access%20to%20Bitlocker%20recovery%20keys.%20I%20don't%20think%20L1%20needs%20to%20reset%20passwords%2C%20when%20they%20only%20need%20to%20relay%20the%20key%20to%20a%20user%20when%20needed.%20However%2C%20Helpdesk%20admin%20AAD%20role%20is%20the%20best%20we%20can%20do%20ATTM%20it%20appears.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%2C%20the%20documentation%3C%2FP%3E%3CDIV%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencrypt-devices%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencrypt-devices%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3EEncrypt%20Windows%2010%20devices%20with%20BitLocker%20in%20Intune%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E%20says%20%22...%3CSPAN%3Eafter%20Intune%20encrypts%20a%20Windows%2010%20device%20with%20BitLocker%2C%20you%20can%20view%20and%20retrieve%20BitLocker%20recovery%20keys%20when%20you%20view%20the%20encryption%20report.%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20cannot%20find%20it%20in%20the%20Encryption%20report.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Which of the standard admin roles is required to view bitlocker recovery keys for a device in intune?  

 

 

5 Replies

Hi Steve,

One of those should do it!


Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe

Hi Steve,

One of those should do it!

Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe
Thanks Moe. I didn't realize at first that access to the keys in Intune was controlled by the AAD administrator roles, I was expecting it to be part of one of the Intune roles.

FWIW, the Security Reades and Helpdesk Administrator roles do not appear to have access to the recovery keys, based on the permissions listed in the role description. The Cloud Device Administrator role does grant the appropriate permission.

Hopefully once the Custom Roles permission is expanded to support more permissions, I'll be able to grant only the permission to read the bitlocker keys without everything else that goes with Cloud Device Administrator.
You can already give a administrator view permissions on 'devices' within Intune. I suppose this should solve your issue as well.
This is available here - https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/RolesLandingMenuBlade/overview

Interesting that we have to use excessive permissions from AAD to allow access to Bitlocker recovery keys. I don't think L1 needs to reset passwords, when they only need to relay the key to a user when needed. However, Helpdesk admin AAD role is the best we can do ATTM it appears.

 

In addition, the documentation

Encrypt Windows 10 devices with BitLocker in Intune - Microsoft Intune | Microsoft Docs says "...after Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the encryption report."
I cannot find it in the Encryption report.