Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD

Let’s learn how you can create a custom role to read BitLocker Keys for the managed devices. BitLocker Recovery Key Reader roles has required to help ensure that only an authorized person can unlock your Windows PC and restore access to your encrypted data.

BitLocker likely ensured that a recovery key was safely backed up prior to activating protection. There are several places that your recovery key may be, depending on the choice that was made when activating BitLocker:

BitLocker is a built-in Windows data protection feature capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled.

Microsoft also added support to hide recovery keys from end users. This helps improve the devices’ security poster and prevents attackers from getting Bitlocker encryption keys from Windows devices.

Patch My PC

This new feature restricting access to the BitLocker Recovery Key allows users to choose whether they can view their BitLocker recovery key. At this point, many organizations don’t have the option to disable this feature.

Create Custom BitLocker Recovery Key Reader Role

You can create a custom BitLocker Recovery Key Reader role that includes any permissions required for a specific job function. After creating a custom role, you can assign it to any users that need those permissions. Here’s how you can create Bitlocker Keys RBAC Roles in Azure AD:

To create, edit, or assign roles, your account must have Global Administrator or Privileged Role Administrator permissions in Azure AD.

Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.1
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.1

In the Roles and administrators, click on the New custom role.

Adaptiva
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.1
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.2

On the Basics page, enter a name for the Bitlocker Recovery Key Reader role (For Example, Bitlocker Recovery Key Reader) and description for the new role, then choose Next.

Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.3
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.3

On the Permissions page, choose the permissions you want to use with this role. To add bitlockerkeys read permission, search with keyword “Bitlocker Key” and select the microsoft.directory/bitlockerKeys/key/read permission will be appeared. Select the permission.

PermissionDescription
microsoft.directory/bitlockerKeys/key/readRead bitlocker metadata and key on devices
Table 1 – Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.4
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.4

On Review + create, review assigned roles. Click on Create.

Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD 1
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.5

A notification will appear automatically in the top right-hand corner with a message. Here you can see, Successfully created ‘BitLocker Recovery Key Reader’ custom role. Click the Refresh button at the top to quickly see the roles. You will be able to see the Custom BitLocker Recovery Key Reader role created.

Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.6
Configure RBAC Roles for BitLocker Recovery Key Reader in Azure AD Fig.6

What minimum role-based access control (RBAC) rights are required to access the Intune console recovery key? To access the recovery keys, an administrator must be granted Helpdesk Administrator permissions.

Assign Bitlocker Recovery Key Reader Role to Azure AD Group

Only Global Administrators and Privileged Role Administrators can create a role-assignable group. The membership type for role-assignable groups must be Assigned and can’t be an Azure AD dynamic group.

  • In Azure AD, Select Groups, and Click New Group.
  • Here you need to Enter a Name, Description (optional). Set Azure AD roles can be assigned to this group to Yes.
  • Next, you can add members to the group
Assign Bitlocker Recovery Key Reader Role to Azure AD Group Fig.7
Assign Bitlocker Recovery Key Reader Role to Azure AD Group Fig.7

Click on the Roles and select the role (Bitlocker Recovery Key Reader Role) you want to assign. Click Create.

Assign Bitlocker Recovery Key Reader Role to Azure AD Group Fig.8
Assign Bitlocker Recovery Key Reader Role to Azure AD Group Fig.8

You can also later assign the roles to the group from Roles and administrators tab. Once the role has mapped to the groups or users.

Find BitLocker Recovery Key in Intune Portal

BitLocker recovery key has required to help ensure that only an authorized person can unlock your Windows PC and restore access to your encrypted data. How can we get my BitLocker recovery key? The BitLocker recovery depends on how Windows PC is set up; there are different ways to get your recovery key.

You can have access to the BitLocker recovery key of device registered in Intune. Here’s how you can access the keys for the device. You can also access directly from AzureAD.

  • Sign in to the Microsoft Intune admin center  https://endpoint.microsoft.com/.
  • Choose Devices > All devices and select the device from the list. For Example, I selected the device CPC-jitesh53-DE.
Check BitLocker Recovery Key in Intune Portal Fig.9
Check BitLocker Recovery Key in Intune Portal Fig.9

Select Recovery Keys in the Monitor section to view the BitLocker recovery passwords.

BitLocker Recovery Key in Intune Portal
BitLocker Recovery Key in Intune Portal Fig.10

Select Show Recovery Key. If there is more than one entry, use the BITLOCKER KEY ID to select the correct BITLOCKER RECOVERY KEY.

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.