Microsoft Key Management (Handling, Storage, Encryption...etc.)

Question

Hello everyone, as I am working on Intune in my organization I am having a hard time understanding the key management performed by Microsoft. To further clarify, we are simply trying to comprehend how keys are being stored (Bitlocker in our case), how they are being handled by Microsoft. We have visualized that the recovery key can be found backed up in Entra ID and in Intune based on which device we select since we applied the Bitlocker Profile, however what really happens in the background is unbeknownst to us regarding if the recovery key is encrypted, where it is exactly stored by Microsoft...etc. In case of loss of the key can Microsoft handle this matter if a case is ensued or not.

If possible we would like to know how the keys in general are being safeguarded and managed by Microsoft as it is crucial for our organization.

Kindest regards !

Answer 1

@Ahmad Zein, Thanks for posting in Q&A.

When we enable BitLocker, we can decide where to store the recovery key, such as Microsoft Entra ID, AD DS, stored on text file or be Printed. As for the encryption mechanism and storage location of the key, currently, there is no information detailing it.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview#bitlocker-recovery-password

Remember, saving the BitLocker key is an important thing, make sure you keep it safe.

As for BitLocker key rotation, every rotation automatically generates a new recovery key for end users.

https://techcommunity.microsoft.com/t5/intune-customer-success/using-bitlocker-recovery-keys-with-microsoft-endpoint-manager/ba-p/2255517

Hope it will help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.