This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 75%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
Hello All,
We are using Intune Encryption on Windows 10 systems. As I understood that enrolled user can see the recovery keys in My Account page (https://myaccount.microsoft.com/device-list).
There can be chances of data loss from legitimate user if user has access to recovery keys. Please correct if my understanding is wrong. How can we address this security point. Can we hide "View Bitlocker Keys" Option from My Account page so that in case of recovery User will always connect with internal Azure AD team for recovery keys?
Also do let us know if audit log captures in Intune portal if User access / read the BitLocker keys.
Please share your views on it.
Thanks and regards,
Kedar
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 57.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOM%3C/text%3E%3C/svg%3E)
Please use this guide: https://www.anoopcnair.com/block-hide-bitlocker-recovery-key-users-graph/As I understand it's possible using Intune Graph API
No, you cannot hide the key today. We are working on this functionality though. Same with additional auditing.
@Kedar Tamboli
Thank you for your post! Please let us know if you have any other questions.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@Jason Sandys This is really exciting information about this feature. Looking forward to the new release! : )
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 31%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
lots of my customer are asking this feature as well.
Cross finger~~~ @Jason Sandys
Still in the "working on" phase but progressing and getting closer to be being released (although when or if it is ever released is not up to me so no commitments).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 66%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPT%3C/text%3E%3C/svg%3E)
we need this feature, if IT can't manage the key that means user can execute by self.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 59%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
It would be awesome if we could get this feature soon enough!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 26%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Do we have any news on this issue? This functionality, which is active right now, seems to be a security issue and the IT team should have full control with the AAD permissions, so users should not be able to access this information.
The problem occurs because users in AAD have default permissions to read the bitlocker recovery keys of their owned devices.
Owned devices
Users can perform the following actions on owned devices:
Action Description
microsoft.directory/devices/bitLockerRecoveryKeys/read Read the devices.bitLockerRecoveryKeys property in Azure AD.
microsoft.directory/devices/disable Disable devices in Azure AD.
Thank you very much,
Best regards.
Do we have any news on this issue? This functionality, which is active right now, seems to be a security issue and the IT team should have full control with the AAD permissions, so users should not be able to access this information.
The problem occurs because users in AAD have default permissions to read the bitlocker recovery keys of their owned devices.
Owned devices
Users can perform the following actions on owned devices:
Action Description
microsoft.directory/devices/bitLockerRecoveryKeys/read Read the devices.bitLockerRecoveryKeys property in Azure AD.
microsoft.directory/devices/disable Disable devices in Azure AD.
Thank you very much,
Best regards.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 7.000000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Hello @Jason Sandys
Is there any roadmap for this feature? when will apply and what phase/process Microsoft on ?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 15%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Hello Jason - Is there any good news on this feature to hide bitlocker key view under devices - myaccount page ?
Regards,
Ramesh
Good news? Yes, it's coming. There's nothing additional to disclose publicly at this time though.
Thank you Jason. Please let us know if any progress on the availability
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 13%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Looks like it is in preview, now!
Correct. I think this went public preview in July.