Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD

Let’s learn how to create a custom role to read BitLocker Keys for managed devices. BitLocker Recovery Key Reader roles have required to help ensure that only an authorized person can unlock your Windows PC and restore access to your encrypted data.

BitLocker likely ensured a recovery key was safely backed up before activating protection. There are several places that your recovery key may be, depending on the choice that was made when activating BitLocker:

BitLocker is a built-in Windows data protection feature capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled.

Microsoft also added support to hide recovery keys from end users. This helps improve the devices’ security poster and prevents attackers from getting Bitlocker encryption keys from Windows devices.

Patch My PC

This new feature restricting access to the BitLocker Recovery Key allows users to choose whether they can view their BitLocker recovery key. At this point, many organizations don’t have the option to disable this feature.

Create Custom BitLocker Recovery Key Reader Role

You can create a custom BitLocker Recovery Key Reader role that includes any permissions required for a specific job function. After creating a custom role, you can assign it to any users that need those permissions. Here’s how you can create Bitlocker Keys RBAC Roles in Azure AD:

To create, edit, or assign roles, your account must have Global Administrator or Privileged Role Administrator permissions in Azure AD.

Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.1
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.1

In the Roles and administrators, click on the New custom role.

Adaptiva
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.1
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.2

On the Basics page, enter a name for the Bitlocker Recovery Key Reader role (For Example, Bitlocker Recovery Key Reader) and a description for the new role, then choose Next.

Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.3
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.3

On the Permissions page, choose the permissions you want to use with this role. To add BitLocker keys read permission, search with the keyword “Bitlocker Key” and select microsoft.directory/bitlockerKeys/key/read permission will appear. Select the permission.

PermissionDescription
microsoft.directory/bitlockerKeys/key/readRead bitlocker metadata and key on devices
Table 1 – Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.4
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.4

On Review + create, review assigned roles. Click on Create.

Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD 1
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.5

A notification will appear automatically in the top right-hand corner with a message. Here you can see, Successfully created ‘BitLocker Recovery Key Reader’ custom role. Click the Refresh button at the top to quickly see the roles. You can see the Custom BitLocker Recovery Key Reader role created.

Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.6
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.6

What minimum role-based access control (RBAC) rights are required to access the Intune console recovery key? To access the recovery keys, an administrator must be granted Helpdesk Administrator permissions.

Assign Bitlocker Recovery Key Reader Role to Azure AD Group

Only Global Administrators and Privileged Role Administrators can create a role-assignable group. The membership type for role-assignable groups must be Assigned and can’t be an Azure AD dynamic group.

  • In Azure AD, Select Groups, and Click New Group.
  • Here you need to Enter a Name, Description (optional). Set Azure AD roles can be assigned to this group to Yes.
  • Next, you can add members to the group
Assign Bitlocker Recovery Key Reader Role to Azure AD Group Fig.7
Assign Bitlocker Recovery Key Reader Role to Azure AD Group Fig.7

Click on the Roles and select the role (Bitlocker Recovery Key Reader Role) you want to assign. Click Create.

Assign Bitlocker Recovery Key Reader Role to Azure AD Group Fig.8
Assign Bitlocker Recovery Key Reader Role to Azure AD Group Fig.8

You can also later assign the roles to the group from the Roles and administrators tab. Once the role has been mapped to the groups or users.

🛎️You must activate the role assignment when performing privileged actions if you have been made eligible for an administrative role, More information can be found here Assign Azure AD Roles Using Privileged Identity Management PIM

Find BitLocker Recovery Key in Intune Portal

BitLocker recovery key has required to help ensure that only an authorized person can unlock your Windows PC and restore access to your encrypted data. How can we get my BitLocker recovery key? The BitLocker recovery depends on how Windows PC is set up; there are different ways to get your recovery key.

You can access the BitLocker recovery key of the device registered in Intune. Here’s how you can access the keys for the device. You can also access it directly from AzureAD.

  • Sign in to the Microsoft Intune admin center  https://endpoint.microsoft.com/.
  • Choose Devices > All devices and select the device from the list. For Example, I selected the device CPC-jitesh53-DE.
Check BitLocker Recovery Key in Intune Portal Fig.9
Check BitLocker Recovery Key in Intune Portal Fig.9

Select Recovery Keys in the Monitor section to view the BitLocker recovery passwords.

BitLocker Recovery Key in Intune Portal
BitLocker Recovery Key in Intune Portal Fig.10

Select Show Recovery Key. If multiple entries exist, use the BITLOCKER KEY ID to select the correct BITLOCKER RECOVERY KEY.

Here’s how you can assign Azure AD Roles. The Azure AD PIM service also allows Privileged role administrators to make permanent admin role assignments, Assign Azure AD Roles Using Privileged Identity Management PIM

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

8 thoughts on “Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD”

  1. Facing an error after following above steps while seeing recovery keys in intune portal “you do not have access to view this bitlocker key”

    Reply
  2. I know this is an old post. We are having a weird issue where the custom role worked on all devices prior to a certain time. Now users with the same custom role are not able to view new devices bitlocker recovery keys “You do not have access to view this bitlocker recovery key”.

    Reply
  3. Martin – where you able to get this sorted? About to open a premier ticket tomorrow – but identical problem. Hoping to maybe avoid the ticket if you already opened one…

    Reply
  4. Hi,
    We are seeing the same thing, any update? Did you create a ticket? Did MS change anything and didnt say or we missed it?

    Reply
  5. Hey! Add microsoft.directory/auditLogs/allProperties/read and it will fix this issue that apparently broke in February 2024.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.