cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What admin role grans permission to view devices' bitlocker recovery keys?

%3CLINGO-SUB%20id%3D%22lingo-sub-1587597%22%20slang%3D%22en-US%22%3EWhat%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1587597%22%20slang%3D%22en-US%22%3E%3CP%3EWhich%20of%20the%20standard%20admin%20roles%20is%20required%20to%20view%20bitlocker%20recovery%20keys%20for%20a%20device%20in%20intune%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1587597%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588289%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588289%22%20slang%3D%22en-US%22%3EHi%20Steve%2C%3CBR%20%2F%3E%3CBR%20%2F%3EOne%20of%20those%20should%20do%20it!%3CBR%20%2F%3E%3CBR%20%2F%3EGlobal%20admins%3CBR%20%2F%3EIntune%20Service%20Administrators%3CBR%20%2F%3ESecurity%20Administrators%3CBR%20%2F%3ESecurity%20Readers%3CBR%20%2F%3EHelpdesk%20Admins%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588284%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588284%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Steve%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EOne%20of%20those%20should%20do%20it!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EGlobal%20admins%3CBR%20%2F%3EIntune%20Service%20Administrators%3CBR%20%2F%3ESecurity%20Administrators%3CBR%20%2F%3ESecurity%20Readers%3CBR%20%2F%3EHelpdesk%20Admins%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592876%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592876%22%20slang%3D%22en-US%22%3EThanks%20Moe.%20I%20didn't%20realize%20at%20first%20that%20access%20to%20the%20keys%20in%20Intune%20was%20controlled%20by%20the%20AAD%20administrator%20roles%2C%20I%20was%20expecting%20it%20to%20be%20part%20of%20one%20of%20the%20Intune%20roles.%3CBR%20%2F%3E%3CBR%20%2F%3EFWIW%2C%20the%20Security%20Reades%20and%20Helpdesk%20Administrator%20roles%20do%20not%20appear%20to%20have%20access%20to%20the%20recovery%20keys%2C%20based%20on%20the%20permissions%20listed%20in%20the%20role%20description.%20The%20Cloud%20Device%20Administrator%20role%20does%20grant%20the%20appropriate%20permission.%3CBR%20%2F%3E%3CBR%20%2F%3EHopefully%20once%20the%20Custom%20Roles%20permission%20is%20expanded%20to%20support%20more%20permissions%2C%20I'll%20be%20able%20to%20grant%20only%20the%20permission%20to%20read%20the%20bitlocker%20keys%20without%20everything%20else%20that%20goes%20with%20Cloud%20Device%20Administrator.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1593728%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1593728%22%20slang%3D%22en-US%22%3EYou%20can%20already%20give%20a%20administrator%20view%20permissions%20on%20'devices'%20within%20Intune.%20I%20suppose%20this%20should%20solve%20your%20issue%20as%20well.%3CBR%20%2F%3EThis%20is%20available%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_DeviceSettings%2FRolesLandingMenuBlade%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_DeviceSettings%2FRolesLandingMenuBlade%2Foverview%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1859066%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1859066%22%20slang%3D%22en-US%22%3E%3CP%3EInteresting%20that%20we%20have%20to%20use%20excessive%20permissions%20from%20AAD%20to%20allow%20access%20to%20Bitlocker%20recovery%20keys.%20I%20don't%20think%20L1%20needs%20to%20reset%20passwords%2C%20when%20they%20only%20need%20to%20relay%20the%20key%20to%20a%20user%20when%20needed.%20However%2C%20Helpdesk%20admin%20AAD%20role%20is%20the%20best%20we%20can%20do%20ATTM%20it%20appears.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%2C%20the%20documentation%3C%2FP%3E%3CDIV%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencrypt-devices%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencrypt-devices%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3EEncrypt%20Windows%2010%20devices%20with%20BitLocker%20in%20Intune%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E%20says%20%22...%3CSPAN%3Eafter%20Intune%20encrypts%20a%20Windows%2010%20device%20with%20BitLocker%2C%20you%20can%20view%20and%20retrieve%20BitLocker%20recovery%20keys%20when%20you%20view%20the%20encryption%20report.%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20cannot%20find%20it%20in%20the%20Encryption%20report.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2101154%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101154%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F117010%22%20target%3D%22_blank%22%3E%40Ken%20Rappold%3C%2FA%3E%26nbsp%3BHave%20you%20ever%20found%20a%20solution%20for%20that%3F%3C%2FP%3E%3CP%3EI'm%20also%20trying%20to%20give%20our%20service%20desk%20guys%20the%20ability%20to%20retrieve%20Bitlocker%20keys%20out%20of%20Intune%20(Endpoint%20Manager)%2C%20but%20giving%20almost%20all%20%22Read%22%20rights%20with%20a%20custom%20role%2C%20they%20still%20get%20an%20error%2C%20as%20soon%20as%20they%20click%20on%20%22Recovery%20keys%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2101998%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101998%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F256397%22%20target%3D%22_blank%22%3E%40Ren_Zimmermann%3C%2FA%3E%26nbsp%3B-%20Not%20thus%20far%20and%20haven't%20escalated%20this%20more%20than%20what%20you%20see%20in%20these%20posts.%20I%20may%20escalate%20when%2Fif%20time%20allows.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2110350%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2110350%22%20slang%3D%22en-US%22%3EBitlocker%20keys%20are%20not%20a%20part%20of%20Intune%2C%20but%20of%20AAD.%20So%20you%20need%20an%20AAD%20role%20for%20them%20to%20see%20the%20keys.%20Helpdesk%20admin%20is%20one%20of%20the%20ways%20to%20do%20it%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2111117%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111117%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B-%20Agree%2C%20but%20the%20%3CA%20title%3D%22documentation%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fencrypt-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3Edocumentation%3C%2FSTRONG%3E%20%3C%2FA%3Estates%20%22%3C%2FP%3E%3CDIV%20class%3D%22alert%20is-success%22%3E%3CP%3E...%20you%20can%20view%20and%20manage%20BitLocker%20recovery%20keys%20when%20you%20view%20the%20encryption%20report.%20...%20%22%3C%2FP%3E%3CP%3EMy%20input%20here%20is%20the%20data%20in%20the%20report%20should%20be%20made%20available%20via%20an%20RBAC%20permission.%20At%20a%20minimum%2C%20the%20Help%20Desk%20Role%20should%20be%20able%20to%20view%20the%20report%20and%20bitlocker%20recovery%20keys%20within.%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112663%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112663%22%20slang%3D%22en-US%22%3EI%20agree%2C%20it's%20a%20pain%20%3A%5C%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113194%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113194%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3Band%20overpermissioned%20when%20all%20we%20need%20is%20L1%20to%20access%20BitLocker%20keys%20for%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2244450%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2244450%22%20slang%3D%22en-US%22%3EThis%20is%20real%20pain.%3CBR%20%2F%3Eespecially%20when%20you%20have%20scopes%20separation%20in%20Endpoint%20Manager%20and%20you%20use%20RBAC%20to%20separate%20offices%20equipment.%3CBR%20%2F%3EOf%20course%20i%20cannot%20grant%20helpdesk%20admins%20on%20AAD....%20that%20definitely%20not%20LEAST%20Privilege.%3CBR%20%2F%3EThat%20AAD%20issue%20BTH.%20There%20is%20no%20possible%20to%20assign%20role%20to%20scope%20...%20there%20is%20no%20scopes%20at%20all.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2344843%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2344843%22%20slang%3D%22en-US%22%3ESeems%20like%20Azure%20AD%20Administrative%20Units%20are%20not%20helpful%20in%20this%20space%20either.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F41324467-add-devices-to-administrative-units%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F41324467-add-devices-to-administrative-units%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2352307%22%20slang%3D%22en-US%22%3ERe%3A%20What%20admin%20role%20grans%20permission%20to%20view%20devices'%20bitlocker%20recovery%20keys%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2352307%22%20slang%3D%22en-US%22%3EIn%20order%20to%20fully%20solve%20this%20issue%2C%20we%20need%20to%20have%20devices%20support%20in%20AU%20with%20custom%20roles.%20Let's%20hope%20it's%20here%20sooner%20rather%20than%20later%3C%2FLINGO-BODY%3E
Steve Whitcher
Regular Contributor

‎Aug 13 2020 11:58 AM

‎Aug 13 2020 11:58 AM

What admin role grans permission to view devices' bitlocker recovery keys?

Which of the standard admin roles is required to view bitlocker recovery keys for a device in intune?  

 

 

Labels:
5,253 Views
0 Likes
16 Replies
Reply
16 Replies
Moe_Kinani

‎Aug 13 2020 08:16 PM - edited ‎Aug 13 2020 08:25 PM

‎Aug 13 2020 08:16 PM - edited ‎Aug 13 2020 08:25 PM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Hi Steve,

One of those should do it!


Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe

0 Likes
Reply
Moe_Kinani

‎Aug 13 2020 08:21 PM

‎Aug 13 2020 08:21 PM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Hi Steve,

One of those should do it!

Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins

Hope this helps!
Moe
1 Like
Reply
Steve Whitcher

‎Aug 17 2020 06:09 AM

‎Aug 17 2020 06:09 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Thanks Moe. I didn't realize at first that access to the keys in Intune was controlled by the AAD administrator roles, I was expecting it to be part of one of the Intune roles.

FWIW, the Security Reades and Helpdesk Administrator roles do not appear to have access to the recovery keys, based on the permissions listed in the role description. The Cloud Device Administrator role does grant the appropriate permission.

Hopefully once the Custom Roles permission is expanded to support more permissions, I'll be able to grant only the permission to read the bitlocker keys without everything else that goes with Cloud Device Administrator.
1 Like
Reply
Ken Rappold

‎Nov 05 2020 02:10 PM

‎Nov 05 2020 02:10 PM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Interesting that we have to use excessive permissions from AAD to allow access to Bitlocker recovery keys. I don't think L1 needs to reset passwords, when they only need to relay the key to a user when needed. However, Helpdesk admin AAD role is the best we can do ATTM it appears.

 

In addition, the documentation

Encrypt Windows 10 devices with BitLocker in Intune - Microsoft Intune | Microsoft Docs says "...after Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the encryption report."
I cannot find it in the Encryption report.
0 Likes
Reply
Ren_Zimmermann

‎Jan 27 2021 01:06 AM

‎Jan 27 2021 01:06 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

@Ken Rappold Have you ever found a solution for that?

I'm also trying to give our service desk guys the ability to retrieve Bitlocker keys out of Intune (Endpoint Manager), but giving almost all "Read" rights with a custom role, they still get an error, as soon as they click on "Recovery keys".

0 Likes
Reply
Ken Rappold

‎Jan 27 2021 05:58 AM

‎Jan 27 2021 05:58 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

@Ren_Zimmermann - Not thus far and haven't escalated this more than what you see in these posts. I may escalate when/if time allows.

0 Likes
Reply
Thijs Lecomte

‎Feb 01 2021 12:21 PM

‎Feb 01 2021 12:21 PM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Bitlocker keys are not a part of Intune, but of AAD. So you need an AAD role for them to see the keys. Helpdesk admin is one of the ways to do it
1 Like
Reply
Ken Rappold

‎Feb 02 2021 05:26 AM

‎Feb 02 2021 05:26 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

@Thijs Lecomte - Agree, but the documentation states "

... you can view and manage BitLocker recovery keys when you view the encryption report. ... "

My input here is the data in the report should be made available via an RBAC permission. At a minimum, the Help Desk Role should be able to view the report and bitlocker recovery keys within.

0 Likes
Reply
Thijs Lecomte

‎Feb 03 2021 06:21 AM

‎Feb 03 2021 06:21 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

I agree, it's a pain :\
0 Likes
Reply
Ken Rappold

‎Feb 03 2021 11:24 AM

‎Feb 03 2021 11:24 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

@Thijs Lecomte and overpermissioned when all we need is L1 to access BitLocker keys for users.

0 Likes
Reply
creatoni4

‎Mar 30 2021 06:00 AM

‎Mar 30 2021 06:00 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

This is real pain.
especially when you have scopes separation in Endpoint Manager and you use RBAC to separate offices equipment.
Of course i cannot grant helpdesk admins on AAD.... that definitely not LEAST Privilege.
That AAD issue BTH. There is no possible to assign role to scope ... there is no scopes at all.

0 Likes
Reply
Joshua Bines

‎May 11 2021 07:50 AM

‎May 11 2021 07:50 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Seems like Azure AD Administrative Units are not helpful in this space either.

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/41324467-add-devices-to-...
0 Likes
Reply
Thijs Lecomte

‎May 13 2021 11:24 AM

‎May 13 2021 11:24 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

In order to fully solve this issue, we need to have devices support in AU with custom roles. Let's hope it's here sooner rather than later
1 Like
Reply
Joshua Bines

‎May 19 2021 07:55 AM

‎May 19 2021 07:55 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

They do have the helpdesk role available for AU but we just need to the ability to add the devices which will come in time i'm sure :)
0 Likes
Reply
Rudy_Ooms

‎May 22 2021 07:33 AM

‎May 22 2021 07:33 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

Hi..

I came up with an alternative solution to this problem...
When you are interested you can find the blog on my website. (it still needs some work... but I decided to post it already)

https://call4cloud.nl/2021/05/the-texas-chain-saw-bitlocker-remediations/
0 Likes
Reply
Ken Rappold

‎May 24 2021 06:56 AM

‎May 24 2021 06:56 AM

Re: What admin role grans permission to view devices' bitlocker recovery keys?

@Rudy_Ooms - Interesting. Thank you for sharing.

0 Likes
Reply