In part two we deployed a device encryption policy to make our Windows 10-devices encrypt the OS-drive with Bitlocker and upload the Bitlocker info to Azure AD. In the last part of this blog series we will look at the admin and end-user experience when you are in need of the Bitlocker recovery password.
Admin Experience (Azure AD)
We will start off by having a look at the admin experience. I have identified below Azure AD-roles to allow access to Bitlocker recovery passwords in Azure AD.
- Global Administrator
- Intune Service Administrator
- Security Administrator
- Security Reader
- Helpdesk Administrator
- Cloud Device Administrator
- Make sure your account is part of any of above admin roles
- Navigate to: https://aad.portal.azure.com
- Click “Azure Active Directory” -> “Users“
- Find and click the specific user who is in need of the Bitlocker recovery password
- Click: “Devices“
- You will see a list of all devices this user is primary user of
- Select the correct device from the list
- As you can see we can get both “Fixed data drive” and “Operating system drive” recovery passwords from this view
- Select “Show Recovery Key” as per your need
Admin Experience (MEM portal)
- I recommend that you are part of the Intune Administrator role
- Visit: https://endpoint.microsoft.com
- Click: “Devices” -> “Windows“
- Select the correct device as per your need
- Click: Recovery keys“
- Click: “Show Recovery Key“
User Experience (My Account)
As the primary user of a device an end-user is allowed to fetch the Bitlocker recovery password. It is really handy to have this self-service experience available to all users!
- Ask the user to visit: https://myaccount.microsoft.com
- Click: “Devices“
- Select the correct device as per your need
- Click: “View Bitlocker Keys”
There you have it – We have now successfully moved the management of Bitlocker from AD to Azure AD and MEM! Remember to keep an eye on the “Encryption report” that we discussed in part 1.