๐ฑ Recipe ยท Intune & Device Management
Retrieve BitLocker Recovery Keys for a User's Device via Microsoft Graph
Locate a user's Entra-joined or Intune-managed device and retrieve its BitLocker recovery key for drive unlock or recovery scenarios
Complexity
Intermediate
Impact
security + device-management + helpdesk + compliance
Context
Why This Matters
BitLocker recovery keys are required when a user is locked out of their encrypted Windows device โ common triggers include TPM changes, firmware updates, forgotten PINs, boot configuration changes, or hardware repairs. As an IT admin, you need a fast, reliable path from user identity to recovery key without forcing the user to wait while you click through multiple portals.
Microsoft escrows BitLocker recovery keys to Entra ID (for Entra-joined or Hybrid-joined devices) and surfaces them through both the Intune/Entra admin portals and the informationProtection/bitlocker/recoveryKeys Microsoft Graph endpoint. This recipe walks through the full lookup chain: user โ registered/managed device โ recovery key(s) associated with that device.
Run this recipe whenever a helpdesk ticket asks for a BitLocker recovery key, during device reimaging workflows, or when validating that encryption keys are properly escrowed before decommissioning a laptop.
Expected Outcomes
After completing this recipe you will have:
- Identified the target user's registered and Intune-managed devices
- Mapped the device's
deviceId(Azure AD Device ID) to one or more BitLocker recovery key records - Retrieved the 48-digit numerical recovery password for a specific key ID
- An auditable record in the Entra ID audit log that a recovery key was viewed (regulatory/compliance trail)
- A repeatable script the helpdesk can use for future BitLocker unlock requests
Risks & Considerations
Before you run this:
- Reading a recovery key is audited. Every
GETon a recovery key'skeyproperty generates an audit event in Entra ID. Treat recovery keys like credentials. - Rotate the key after use. Once you share a recovery key with an end user, the key is considered compromised. Trigger a BitLocker key rotation via Intune (
rotateBitLockerKeysaction) once the device is unlocked and back online. - Verify identity first. Never read out a recovery key without confirming the requester is the device owner (callback verification, MFA prompt, manager approval โ follow your IR playbook).
- Personal devices are out of scope. Only Entra-joined, Hybrid-joined, or Intune-enrolled devices escrow keys to your tenant. BYOD / workplace-joined devices do not.
- High-privilege permissions.
BitlockerKey.Read.Allgrants tenant-wide access to every recovery key โ limit which admins hold roles that can consent to or exercise this scope (Cloud Device Administrator, Intune Administrator, Helpdesk Administrator with BitLocker recovery permission). - Do not store recovery keys outside the tenant. Avoid pasting them into ticketing systems, chat, or email. Read once, use once, rotate.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| User.Read.All | Resolve the UPN to the user's object ID and read basic directory information. |
| Device.Read.All | List Entra ID registered devices owned by the user and retrieve the device's deviceId (Azure AD Device ID). |
| DeviceManagementManagedDevices.Read.All | Query Intune-managed devices filtered by userPrincipalName to correlate the managed device with its Azure AD Device ID. |
| BitlockerKey.ReadBasic.All | List BitLocker recovery key metadata (id, deviceId, createdDateTime, volumeType) without exposing the recovery password. |
| BitlockerKey.Read.All | Retrieve the actual 48-digit recovery password via $select=key on a specific recovery key resource. |
The fastest way to get this done โ just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin
For End Users
How an employee would ask Dex for help