Move Bitlocker Management to Microsoft EndPoint Manager Part 3

In part two we deployed a device encryption policy to make our Windows 10-devices encrypt the OS-drive with Bitlocker and upload the Bitlocker info to Azure AD. In the last part of this blog series we will look at the admin and end-user experience when you are in need of the Bitlocker recovery password.

Admin Experience (Azure AD)

We will start off by having a look at the admin experience. I have identified below Azure AD-roles to allow access to Bitlocker recovery passwords in Azure AD.

  • Global Administrator
  • Intune Service Administrator
  • Security Administrator
  • Security Reader
  • Helpdesk Administrator
  • Cloud Device Administrator
  1. Make sure your account is part of any of above admin roles
  2. Navigate to:
  3. Click “Azure Active Directory” -> “Users
  4. Find and click the specific user who is in need of the Bitlocker recovery password
  5. Click: “Devices
  6. You will see a list of all devices this user is primary user of
  7. Select the correct device from the list
  8. As you can see we can get both “Fixed data drive” and “Operating system drive” recovery passwords from this view
  9. Select “Show Recovery Key” as per your need

Admin Experience (MEM portal)

  1. I recommend that you are part of the Intune Administrator role
  2. Visit:
  3. Click: “Devices” -> “Windows
  4. Select the correct device as per your need
  5. Click: Recovery keys
  6. Click: “Show Recovery Key

User Experience (My Account)

As the primary user of a device an end-user is allowed to fetch the Bitlocker recovery password. It is really handy to have this self-service experience available to all users!

  1. Ask the user to visit:
  2. Click: “Devices
  3. Select the correct device as per your need
  4. Click: “View Bitlocker Keys

There you have it – We have now successfully moved the management of Bitlocker from AD to Azure AD and MEM! Remember to keep an eye on the “Encryption report” that we discussed in part 1.

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.