Move Bitlocker Management to Intune Part 3

In part two we deployed a device encryption policy to make our Windows 10-devices encrypt the OS-drive with Bitlocker and upload the Bitlocker info to Entra ID. In the last part of this blog series we will look at the admin and end-user experience when you are in need of the Bitlocker recovery password.

Admin Experience (Entra ID)

We will start off by having a look at the admin experience. I have identified below Entra ID-roles to allow access to Bitlocker recovery passwords in Entra ID.

  • Global Administrator
  • Intune Service Administrator
  • Security Administrator
  • Security Reader
  • Helpdesk Administrator
  • Cloud Device Administrator
  1. Make sure your account is part of any of above admin roles
  2. Navigate to: Entra
  3. Click “Entra ID” -> “Users
  4. Find and click the specific user who is in need of the Bitlocker recovery password
  5. Click: “Devices
  6. You will see a list of all devices this user is primary user of
  7. Select the correct device from the list
  8. As you can see we can get both “Fixed data drive” and “Operating system drive” recovery passwords from this view
  9. Select “Show Recovery Key” as per your need

Admin Experience (Intune)

  1. I recommend that you are part of the Intune Administrator role or a sufficient custom role
  2. Visit: Intune
  3. Click: “Devices” -> “Windows
  4. Select the correct device as per your need
  5. Click: Recovery keys
  6. Click: “Show Recovery Key

User Experience (My account)

As the primary user of a device an end-user is allowed to fetch the Bitlocker recovery password. It is really handy to have this self-service experience available to all users!

❗I recommend that self-service of Bitlocker is disabled on tenant level (Devices -> Device settings) due to security.

  1. Ask the user to visit:
  2. Click: “Devices
  3. Select the correct device as per your need
  4. Click: “View Bitlocker Keys

There you have it – We have now successfully moved the management of Bitlocker from AD to Entra ID and Intune ! Remember to keep an eye on the “Encryption report” which we discussed in part 1.

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.