Azure – You can now restrict access to the BitLocker recovery key (preview)

As you probably already know when you enable BitLocker on a Windows device you can save the recovery key to either Active Directory, Azure Active Directory, a USB device, a file or even print it.

By default, end-users can access the BitLocker recovery key for the device they own by accessing the BitLocker keys blade in Azure AD (also called self-service BitLocker key access) or by accessing the device they own properties

image  image

Well, you can now restrict access to the BitLocker recovery key when saved on Azure.

To do so, you need to update the authorization policy using Microsoft Graph (you need to have Microsoft Graph PowerShell module installed – Install-Module Microsoft.Graph)

Connect-MgGraph -Scopes Policy.ReadWrite.Authorization
$authPolicyUri = “”
$body = @{
     defaultUserRolePermissions = @{
         allowedToReadBitlockerKeysForOwnedDevice = $false #Set this to $true to allow BitLocker self-service recovery
}| ConvertTo-Json
Invoke-MgGraphRequest -Uri $authPolicyUri -Method PATCH -Body $body
# Show current policy setting
$authPolicy = Invoke-MgGraphRequest -Uri $authPolicyUri

When connecting to Microsoft Graph, you may be requested to grant permissions – I would recommend to enable the Consent on behalf of your organization

image  image

When you have updated the policy to turn off the self-service BitLocker key access, only user with either the following role will be able to access the BitLocker key:

  • Global admins
  • Intune Service Administrators
  • Security Administrators
  • Security Readers
  • Helpdesk Admins
  • or custom role with the BitLocker key read permissions


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.