Microsoft Key Management (Handling, Storage, Encryption...etc.)

Ahmad Zein 60 Reputation points
2024-06-12T13:39:30.69+00:00

Hello everyone, as I am working on Intune in my organization I am having a hard time understanding the key management performed by Microsoft. To further clarify, we are simply trying to comprehend how keys are being stored (Bitlocker in our case), how they are being handled by Microsoft. We have visualized that the recovery key can be found backed up in Entra ID and in Intune based on which device we select since we applied the Bitlocker Profile, however what really happens in the background is unbeknownst to us regarding if the recovery key is encrypted, where it is exactly stored by Microsoft...etc. In case of loss of the key can Microsoft handle this matter if a case is ensued or not.

If possible we would like to know how the keys in general are being safeguarded and managed by Microsoft as it is crucial for our organization.

Kindest regards !

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,190 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,739 questions
{count} votes

Accepted answer
  1. ZhoumingDuan-MSFT 11,050 Reputation points Microsoft Vendor
    2024-06-13T06:15:23.4833333+00:00

    @Ahmad Zein, Thanks for posting in Q&A.

    When we enable BitLocker, we can decide where to store the recovery key, such as Microsoft Entra ID, AD DS, stored on text file or be Printed. As for the encryption mechanism and storage location of the key, currently, there is no information detailing it.

    https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview#bitlocker-recovery-password

    Remember, saving the BitLocker key is an important thing, make sure you keep it safe.

    As for BitLocker key rotation, every rotation automatically generates a new recovery key for end users.

    https://techcommunity.microsoft.com/t5/intune-customer-success/using-bitlocker-recovery-keys-with-microsoft-endpoint-manager/ba-p/2255517

    Hope it will help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful