Blog Post

Intune Customer Success
3 MIN READ

User self-service BitLocker recovery key access with Intune Company Portal website now available

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
May 23, 2024

By: Aasawari Navathe – Sr. Product Manager | Microsoft Intune

 

With the May (2405) service release of Microsoft Intune, users are now able to access the BitLocker recovery key of their Intune enrolled devices using the Intune Company Portal website. This enables users to self-resolve, rather than contacting their helpdesk, when they're locked out of their machines and need to access their BitLocker recovery key.

 

What are the prerequisites?

  • Enrolled Windows device into Intune tenant
  • Ability to log into the Intune Company Portal website from a device (doesn’t need to be enrolled)
  • Permission to view your BitLocker recovery key (if one exists in Microsoft Entra ID)

 

We’re working to add the ability to view the BitLocker recovery key from the native Company Portal apps on other platforms like Apple iOS/iPadOS and macOS. The Intune Company Portal website can be used on other platforms.

 

How does this work?

After opening the Intune Company Portal website, navigate to the Devices node, select the enrolled Windows device, and click “Get recovery key” under Device Encryption. If there are multiple recovery keys found, click “Show recovery key” under the one with the key ID that is needed. Users may then use this recovery key to complete the recovery process on their enrolled Windows device without reaching out to the helpdesk.

Example BitLocker Recovery Key for a Windows device in the Microsoft Intune Company Portal website.

 

Features for BitLocker recovery key access in Microsoft Entra ID

We heard the customer feedback on what level of control IT admins need within their organization for this scenario. While Intune helps configure policy to define the escrow of BitLocker recovery keys, these keys are stored within Entra ID. There are three capabilities within Entra ID that are helpful to use in conjunction with self-service BitLocker recovery key access for users.

 

  1. Tenant-wide toggle to prevent recovery key access for non-admin users

    This setting is located in the Entra ID > Devices > Device settings.

     

    The tenant-wide toggle for restricting users from their BitLocker recovery keys.

     

    This setting determines if users can self-service to recover their BitLocker key(s). The default value is 'No' which allows all users to recover their BitLocker key(s). 'Yes' restricts non-admin users from being able to see the BitLocker key(s) for their own devices if there are any. Learn more: Manage devices in Microsoft Entra ID using the Microsoft Entra admin center.

    Example scenario where a Windows recovery key could not be retrieved in the Microsoft Intune Company Portal website.

    In the event that the admin has restricted recovery key access for users, users will receive the message “Recovery key could not be retrieved” in the Company Portal website.

  2. Auditing for recovery key access

    Audit Logs within the Entra ID portal show the history of activities within the tenant. Any user recovery key accesses made through the Company Portal website will be logged in Audit Logs under the Key Management category as a “Read BitLocker key” activity type. The user’s User Principal Name and additional info such as key ID is also logged.

    Learn more: Learn about the audit logs in Microsoft Entra ID.

  3. Entra Conditional Access policy requiring a compliant device to access BitLocker Recovery Key

    With Conditional Access policy (CA), you can restrict the access to certain corporate resources if a device is not compliant with the “Require compliant device” setting. If this is set up within your organization, and a device fails to meet the Compliance requirements configured in the Intune Compliance policy, that device cannot be used to access the BitLocker Recovery Key as it is considered a corporate resource which is access controlled by CA.


    In this case, you may see an error like below which suggests using a compliant device for recovery key access.


With the 2405 release, get started on this new capability for user self-service BitLocker recovery key access with the Intune Company Portal website!

Let us know your thoughts or if you have any questions, by leaving a comment below or reach out to us on X @IntuneSuppTeam.

Published May 23, 2024
Version 1.0
BitLocker
windows
  • Benoit_Hamet's avatar
    Benoit_Hamet
    MVP
    May 23, 2024

    Thank you

    That is a good progress to reduce service desk request

    That said, the section showing the recovery key does not take into account the dark mode.

    The recovery key section is shown as a white component and does not display the key - meaning the key is displayed in white (white over white obviously you can read) see below

     

  • SvenV_'s avatar
    SvenV_
    Brass Contributor
    May 24, 2024

    Benoit_Hamet Yeah the same thing is applicable for the macOS FileVault recovery keys, it seems that the company portal website is indeed responding to the theme of the windows OS, if I change that to light mode, the page also changes and it would be nice if the dark mode got fixed with that indeed. 

  • martinvandiemen's avatar
    martinvandiemen
    Copper Contributor
    May 29, 2024

    It would be great if this restriction would also restrict access to the Recovery Key for macOS.

  • lightupdifire's avatar
    lightupdifire
    Brass Contributor
    May 29, 2024

    Hello,

    However, the end-users can get their recovery key from the My Account.

  • Tomsmith1122's avatar
    Tomsmith1122
    Copper Contributor
    Jun 05, 2024

    Microsoft Intune now provides users with the ability to access their BitLocker recovery keys via the Intune Company Portal website. This feature enhances user self-service capabilities, reducing the need for IT support for BitLocker recovery. Here's a detailed guide on how to use this feature:

    Accessing BitLocker Recovery Key through Intune Company Portal

    Prerequisites

    1. Microsoft Intune Subscription: Ensure your organization has an active Microsoft Intune subscription.
    2. BitLocker Configuration: BitLocker must be enabled and configured on your Windows device.
    3. Intune Company Portal App: Make sure you have the Intune Company Portal app installed and configured on your device.

    Steps to Retrieve BitLocker Recovery Key

    1. Open the Intune Company Portal Website:

      • Go to the Intune Company Portal website on any device with internet access.
      • Sign in with your organizational account (e.g., your work or school email and password).

    2. Navigate to Devices:

      • Once signed in, click on the Devices tab. This will display a list of all the devices associated with your account.

    3. Select Your Device:

      • Find and select the device for which you need the BitLocker recovery key. This will open the device details page.

    4. Retrieve the BitLocker Recovery Key:

      • On the device details page, look for the option labeled BitLocker Recovery Key or similar.
      • Click on this option to view your BitLocker recovery key. Note it down or copy it securely.

    Important Notes

    • Security: Ensure you keep the BitLocker recovery key secure. Do not share it unnecessarily and store it in a safe place.
    • Support: If you face any issues accessing the Intune Company Portal or retrieving the BitLocker recovery key, contact your organization's IT support.

    Benefits of Self-Service BitLocker Recovery

    • Reduced IT Load: Users can recover their BitLocker keys without needing IT intervention, saving time and resources.
    • Increased Productivity: Users can quickly regain access to their encrypted drives, minimizing downtime.
    • Improved Security: Ensures that BitLocker recovery keys are easily accessible by authorized users only, maintaining the security of encrypted data.

    By enabling self-service access to BitLocker recovery keys via the Intune Company Portal, organizations can streamline device management and improve user experience while maintaining high security standards.

  • MichaelOliv's avatar
    MichaelOliv
    Iron Contributor
    Jun 17, 2024

    Hello,

     

    I was going to make the same remark as Benoit_Hamet.

     

    I try in Android in dark mode and same problem. Not easy to read the key for a user in dark mode.

     

    But the functionnality is a good one. 😉

  • mobilejon's avatar
    mobilejon
    Copper Contributor
    Jul 19, 2024

    This doesn't actually say how you enforce Conditional Access..

     

    From Audit Logs, I could just force "Device Registration" but I would think docs would actually say how you are supposed to do it.

  • Alexandre_Cop's avatar
    Alexandre_Cop
    Iron Contributor
    Jul 31, 2024

    Hi,

     

    When I try this, I get:
    'No recovery key

    No recovery key was found for this device. Device encryption might still be in progress. Sync the device and try again'
     
    The Entra setting is set to 'No'
    There are no CA rules blocking access
    The device was first encrypted months ago
    The device has a number of recovery keys available in Intune
     
    I'm not sure what else to look for?
    • Intune_Support_Team's avatar
      Intune_Support_Team
      Icon for Microsoft rankMicrosoft
      Nov 08, 2024

      Hi all,

       

      Thanks for all the feedback, and we'll be sure to pass these on to the relevant folks for further improvements.

       

      Alexandre_Cop 

      If you are continuing to experience this issue, can you reach out to us via DM for some troubleshooting steps to complete?

       

      Thanks! ^IH