Continuing our “Setting the Security Basics Right” series in Microsoft Entra ID, today we’re focusing on devices and a common oversight that can compromise your BitLocker strategy.
By default, users can easily retrieve their own BitLocker recovery keys:
-
Navigate to myaccount.microsoft.com → Devices tab → Select device → View BitLocker recovery key
One click, and the key is visible—bypassing any BitLocker policies configured via Intune. In an enterprise environment, this creates unnecessary risk, as recovery keys should be strictly controlled and accessed only through IT or helpdesk channels.
How to fix this:
-
Go to Microsoft Entra Admin Center → Devices → Device settings
-
Scroll to the bottom
-
Set “Restrict users from recovering the BitLocker key(s) for their owned devices” to Yes
This prevents non-admin users from accessing BitLocker keys while allowing admins with appropriate roles to retain full access.
Bonus recommendation:
While in Device settings, enable Microsoft Entra Local Administrator Password Solution (LAPS). This activates cloud-based LAPS for Entra-joined and hybrid devices, providing secure storage, automatic rotation, and controlled retrieval of local admin passwords. It’s especially useful if you plan to roll out LAPS policies via Intune.
#MicrosoftEntraID #Intune #BitLocker #Cybersecurity #EndpointSecurity #LAPS #Microsoft365 #MicrosoftSecurity
No comments:
Post a Comment