By: Aasawari Navathe – Sr. Product Manager | Microsoft Intune

With the May (2405) service release of Microsoft Intune, users are now able to access the BitLocker recovery key of their Intune enrolled devices using the Intune Company Portal website. This enables users to self-resolve, rather than contacting their helpdesk, when they’re locked out of their machines and need to access their BitLocker recovery key.

What are the prerequisites?

Enrolled Windows device into Intune tenant
Ability to log into the Intune Company Portal website from a device (doesn’t need to be enrolled)
Permission to view your BitLocker recovery key (if one exists in Microsoft Entra ID)

We’re working to add the ability to view the BitLocker recovery key from the native Company Portal apps on other platforms like Apple iOS/iPadOS and macOS. The Intune Company Portal website can be used on other platforms.

How does this work?

After opening the Intune Company Portal website, navigate to the Devices node, select the enrolled Windows device, and click “Get recovery key” under Device Encryption. If there are multiple recovery keys found, click “Show recovery key” under the one with the key ID that is needed. Users may then use this recovery key to complete the recovery process on their enrolled Windows device without reaching out to the helpdesk.

Example BitLocker Recovery Key for a Windows device in the Microsoft Intune Company Portal website.

Features for BitLocker recovery key access in Microsoft Entra ID

We heard the customer feedback on what level of control IT admins need within their organization for this scenario. While Intune helps configure policy to define the escrow of BitLocker recovery keys, these keys are stored within Entra ID. There are three capabilities within Entra ID that are helpful to use in conjunction with self-service BitLocker recovery key access for users.

Tenant-wide toggle to prevent recovery key access for non-admin users

This setting is located in the Entra ID > Devices > Device settings.

The tenant-wide toggle for restricting users from their BitLocker recovery keys.

This setting determines if users can self-service to recover their BitLocker key(s). The default value is ‘No’ which allows all users to recover their BitLocker key(s). ‘Yes’ restricts non-admin users from being able to see the BitLocker key(s) for their own devices if there are any. Learn more: Manage devices in Microsoft Entra ID using the Microsoft Entra admin center.

Example scenario where a Windows recovery key could not be retrieved in the Microsoft Intune Company Portal website.

In the event that the admin has restricted recovery key access for users, users will receive the message “Recovery key could not be retrieved” in the Company Portal website.

Auditing for recovery key access

Audit Logs within the Entra ID portal show the history of activities within the tenant. Any user recovery key accesses made through the Company Portal website will be logged in Audit Logs under the Key Management category as a “Read BitLocker key” activity type. The user’s User Principal Name and additional info such as key ID is also logged.

Learn more: Learn about the audit logs in Microsoft Entra ID.


Entra Conditional Access policy requiring a compliant device to access BitLocker Recovery Key

With Conditional Access policy (CA), you can restrict the access to certain corporate resources if a device is not compliant with the “Require compliant device” setting. If this is set up within your organization, and a device fails to meet the Compliance requirements configured in the Intune Compliance policy, that device cannot be used to access the BitLocker Recovery Key as it is considered a corporate resource which is access controlled by CA.

In this case, you may see an error like below which suggests using a compliant device for recovery key access.

With the 2405 release, get started on this new capability for user self-service BitLocker recovery key access with the Intune Company Portal website!

Let us know your thoughts or if you have any questions, by leaving a comment below or reach out to us on X @IntuneSuppTeam.

​Microsoft Tech Community – Latest Blogs –Read More