cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What admin role grans permission to view devices' bitlocker recovery keys?

%3CLINGO-SUB%20id%3D%22lingo-sub-1587597%22%20slang%3D%22en-US%22%3EWhat%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1587597%22%20slang%3D%22en-US%22%3E%3CP%3EWhich%20of%20the%20standard%20admin%20roles%20is%20required%20to%20view%20bitlocker%20recovery%20keys%20for%20a%20device%20in%20intune%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1587597%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588289%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588289%22%20slang%3D%22en-US%22%3EHi%20Steve%2C%3CBR%20%2F%3E%3CBR%20%2F%3EOne%20of%20those%20should%20do%20it!%3CBR%20%2F%3E%3CBR%20%2F%3EGlobal%20admins%3CBR%20%2F%3EIntune%20Service%20Administrators%3CBR%20%2F%3ESecurity%20Administrators%3CBR%20%2F%3ESecurity%20Readers%3CBR%20%2F%3EHelpdesk%20Admins%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588284%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588284%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Steve%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EOne%20of%20those%20should%20do%20it!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EGlobal%20admins%3CBR%20%2F%3EIntune%20Service%20Administrators%3CBR%20%2F%3ESecurity%20Administrators%3CBR%20%2F%3ESecurity%20Readers%3CBR%20%2F%3EHelpdesk%20Admins%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592876%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592876%22%20slang%3D%22en-US%22%3EThanks%20Moe.%20I%20didn't%20realize%20at%20first%20that%20access%20to%20the%20keys%20in%20Intune%20was%20controlled%20by%20the%20AAD%20administrator%20roles%2C%20I%20was%20expecting%20it%20to%20be%20part%20of%20one%20of%20the%20Intune%20roles.%3CBR%20%2F%3E%3CBR%20%2F%3EFWIW%2C%20the%20Security%20Reades%20and%20Helpdesk%20Administrator%20roles%20do%20not%20appear%20to%20have%20access%20to%20the%20recovery%20keys%2C%20based%20on%20the%20permissions%20listed%20in%20the%20role%20description.%20The%20Cloud%20Device%20Administrator%20role%20does%20grant%20the%20appropriate%20permission.%3CBR%20%2F%3E%3CBR%20%2F%3EHopefully%20once%20the%20Custom%20Roles%20permission%20is%20expanded%20to%20support%20more%20permissions%2C%20I'll%20be%20able%20to%20grant%20only%20the%20permission%20to%20read%20the%20bitlocker%20keys%20without%20everything%20else%20that%20goes%20with%20Cloud%20Device%20Administrator.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1593728%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1593728%22%20slang%3D%22en-US%22%3EYou%20can%20already%20give%20a%20administrator%20view%20permissions%20on%20'devices'%20within%20Intune.%20I%20suppose%20this%20should%20solve%20your%20issue%20as%20well.%3CBR%20%2F%3EThis%20is%20available%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_DeviceSettings%2FRolesLandingMenuBlade%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_DeviceSettings%2FRolesLandingMenuBlade%2Foverview%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1859066%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1859066%22%20slang%3D%22en-US%22%3E%3CP%3EInteresting%20that%20we%20have%20to%20use%20excessive%20permissions%20from%20AAD%20to%20allow%20access%20to%20Bitlocker%20recovery%20keys.%20I%20don't%20think%20L1%20needs%20to%20reset%20passwords%2C%20when%20they%20only%20need%20to%20relay%20the%20key%20to%20a%20user%20when%20needed.%20However%2C%20Helpdesk%20admin%20AAD%20role%20is%20the%20best%20we%20can%20do%20ATTM%20it%20appears.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%2C%20the%20documentation%3C%2FP%3E%3CDIV%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencrypt-devices%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencrypt-devices%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3EEncrypt%20Windows%2010%20devices%20with%20BitLocker%20in%20Intune%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E%20says%20%22...%3CSPAN%3Eafter%20Intune%20encrypts%20a%20Windows%2010%20device%20with%20BitLocker%2C%20you%20can%20view%20and%20retrieve%20BitLocker%20recovery%20keys%20when%20you%20view%20the%20encryption%20report.%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20cannot%20find%20it%20in%20the%20Encryption%20report.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Steve Whitcher
Regular Contributor

‎08-13-2020 11:58 AM

‎08-13-2020 11:58 AM

What admin role grans permission to view devices' bitlocker recovery keys?

Which of the standard admin roles is required to view bitlocker recovery keys for a device in intune?  

 

 

Labels:
1,698 Views
0 Likes
5 Replies
Reply
5 Replies
Moe_Kinani

‎08-13-2020 08:16 PM - edited ‎08-13-2020 08:25 PM

‎08-13-2020 08:16 PM - edited ‎08-13-2020 08:25 PM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Hi Steve,

One of those should do it!


Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe

0 Likes
Reply
Moe_Kinani

‎08-13-2020 08:21 PM

‎08-13-2020 08:21 PM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Hi Steve,

One of those should do it!

Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe
1 Like
Reply
Steve Whitcher

‎08-17-2020 06:09 AM

‎08-17-2020 06:09 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Thanks Moe. I didn't realize at first that access to the keys in Intune was controlled by the AAD administrator roles, I was expecting it to be part of one of the Intune roles.

FWIW, the Security Reades and Helpdesk Administrator roles do not appear to have access to the recovery keys, based on the permissions listed in the role description. The Cloud Device Administrator role does grant the appropriate permission.

Hopefully once the Custom Roles permission is expanded to support more permissions, I'll be able to grant only the permission to read the bitlocker keys without everything else that goes with Cloud Device Administrator.
1 Like
Reply
Thijs Lecomte

‎08-17-2020 10:25 AM

‎08-17-2020 10:25 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

You can already give a administrator view permissions on 'devices' within Intune. I suppose this should solve your issue as well.
This is available here - https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/RolesLandingMenuBlade/overview
0 Likes
Reply
Ken Rappold

‎11-05-2020 02:10 PM

‎11-05-2020 02:10 PM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Interesting that we have to use excessive permissions from AAD to allow access to Bitlocker recovery keys. I don't think L1 needs to reset passwords, when they only need to relay the key to a user when needed. However, Helpdesk admin AAD role is the best we can do ATTM it appears.

 

In addition, the documentation

Encrypt Windows 10 devices with BitLocker in Intune - Microsoft Intune | Microsoft Docs says "...after Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the encryption report."
I cannot find it in the Encryption report.
0 Likes
Reply