BitLocker key access via LOB App

BitLocker key access – The problem

When devices that utilize Windows Autopilot are reused, and there is a new device owner, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys

But we don’t want to contact Global admin or Intune admin each time to get recovery keys …… Do we have any alternatives

BitLocker key access – The solution

Yes we have, and this is what we will explain here

Alternative is to use a line of business (LOB) application using app-only BitLocker permissions to access keys for these devices 

Here is how you can implement it

1. Register the App in Azure AD (Azure Portal)

To interact with Microsoft Graph, the app needs to be registered in Azure Active Directory.

1. Go to the Azure Portal.
2. Navigate to Azure Active Directory > App registrations > New registration.
3. Provide a name for your app, specify the supported account types, and set a redirect URI (if needed).
4. Once registered, you’ll receive:
   1. Application (client) ID
   2. Directory (tenant) ID

2. Configure API Permissions
   1. In the App registration page, go to API permissions
   2. Click Add a permission, select Microsoft Graph, and choose the type of permission “Application permissions”
   3. Add the permission BitlockerKey.Read.All for access to the entire key or BitlockerKey.ReadBasic.All for access to everything but the recovery key itself.
   4. Grant Admin Consent for the app

3. Generate Client Secret or Certificate
   1. Go to the Certificates & secrets tab in your app registration.
   2. Generate a client secret or upload a certificate that the app will use to authenticate itself.

Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.

4. Acquire Access Token
   1. You will need to obtain an OAuth 2.0 access token using the client credentials flow. Here’s how you can request the token:
   2. You can use a variety of tools like Postman, cURL

POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

Request body

client_id={client_id}

&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

&client_secret={client_secret}

&grant_type=client_credentials

After a successful request, you’ll get an access token to use in the Microsoft Graph API calls.

5. Make API Call to Retrieve BitLocker Key

GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{device-id}/recoveryKeys

Authorization Header: Include the access token as a Bearer token.

Response: The response will include the BitLocker recovery keys for the specified device.

Example request

GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{device-id}/recoveryKeys

Authorization: Bearer {access_token}

More Information about:

• Windows Encryption check this link https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices

• Autopilot check this link https://learn.microsoft.com/en-us/autopilot/overview

Check More Articles on IntuneBytes