Introduction
Device disk encryption has gone mainstream, and there’s a good chance that you or your organization is using Microsoft BitLocker. Typically, copies of the keys to decrypt disks are stored in Active Directory and/or Entra ID - just in case. In the case of the former, you probably have no reason to worry, but have you considered who has access to the keys in Microsoft Entra? Can a regular employee see the key to decrypt his computer without additional privileges?
In the following post, I will answer these and other questions. Feel free to check it out.
TL;DR
When you enabled Microsoft BitLocker disk encryption, you generated very long keys, copies of which are stored in your Active Directory, Microsoft account, and/or Entra ID. By default, your employees can see them without any additional permissions - they just need to be assigned to the device object in Entra as its owner. This article describes how to disable this feature and explains the risks involved.
Through the eyes of the user
Do you have a company computer encrypted with Microsoft BitLocker? It’s time for a quick test.
Go to myaccount.microsoft.com, select the Devices tab, and click on your device object. In my case, it is a computer named HEPHAESTUS.
You’ll see a magic button to view your recovery key, which can unlock your hard drive if the device is encrypted and a copy of the recovery key has been sent to Microsoft Entra (Azure AD).
If you don’t see the View BitLocker Keys button, it is quite possible that your administrator has already read this post and ruined all the fun by disabling this option.
Default setting risks
Well, I can see the magic button and the keys, but so what? It all depends 🙃
For example, if you have evil intentions and some technical and manual skills, you can remove the disk from your device, plug it into a Kali Linux machine, and accidentally decrypt it to copy your favorite cat memes (the contents of the disk) undetected. You can also add a new local administrator account because your previous one has been taken away by your anoying IT department.
How to change the default configuration
Very simple. Just change the value of the AllowedToReadBitlockerKeysForOwnedDevice
setting via Microsoft Graph (CLI) or toggle it in Microsoft Entra admin center (GUI).
The method is up to you 😉
Open Windows PowerShell with the Microsoft.Graph module installed, and then do the following:Microsoft Graph - click to expand
1
Connect-MgGraph –NoWelcome -Scopes Policy.ReadWrite.Authorization
AllowedToReadBitlockerKeysForOwnedDevice
setting.1
Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-List
AllowedToReadBitlockerKeysForOwnedDevice
setting value from True to False:1
2
3
$RolePermissions = @{}
$RolePermissions["AllowedToReadBitlockerKeysForOwnedDevice"] = $False
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $RolePermissions
1
Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-List
Go to Microsoft Entra admin center, and then do the following:Microsoft Entra admin center - click to expand
How do we check if our changes are working?
Go back to myaccount.microsoft.com and verify that the View BitLocker Keys button has disappeared.
The button is no longer there, which means it works… or at least that’s what I was going to write, but it turns out that Microsoft recently screwed up and the button no longer disappears…
Fortunately, this is only a visual aspect, because pressing the button produces the following error:
For further confirmation, I checked if I could read the key from recently added option in Company Portal.
Another error, again with the wrong message 🤣
The machine was compliant, and after restoring the default setting for recovery keys visibility in Entra, compliance was not an issue at all…. Well done, Microsoft.
I’m an admin, will I lose access too?
Yes and no… As usual, it depends.
If your administrator roles include permissions to view BitLocker keys, you can still view them by using either myaccount.microsoft.com or the Microsoft Entra admin center. Of course, as an admin, you have access to the recovery keys of all devices, not just those that you own.
The privileges that grant access to BitLocker keys are:
|
|
For example: Intune Administrator, Security Administrator, or Security Reader have these privileges.
Conclusion
Congratulations! You just increased the number of calls to your helpdesk by 21.37%! What don’t you do to increase security, right?
As a reward for your heroism, enjoy your meme:
Nobody said it would be funny.
See you next time!
PS: Did you know that Microsoft is going to add the ability to create custom emojis to Microsoft Teams this June? Can’t wait for that 🤣
PS2: You can find more memes about Microsoft BitLocker here. The article is really good, by the way.