Introduction

Device disk encryption has gone mainstream, and there’s a good chance that you or your organization is using Microsoft BitLocker. Typically, copies of the keys to decrypt disks are stored in Active Directory and/or Entra ID - just in case. In the case of the former, you probably have no reason to worry, but have you considered who has access to the keys in Microsoft Entra? Can a regular employee see the key to decrypt his computer without additional privileges?

In the following post, I will answer these and other questions. Feel free to check it out.

TL;DR

When you enabled Microsoft BitLocker disk encryption, you generated very long keys, copies of which are stored in your Active Directory, Microsoft account, and/or Entra ID. By default, your employees can see them without any additional permissions - they just need to be assigned to the device object in Entra as its owner. This article describes how to disable this feature and explains the risks involved.

Through the eyes of the user

Do you have a company computer encrypted with Microsoft BitLocker? It’s time for a quick test.

Go to myaccount.microsoft.com, select the Devices tab, and click on your device object. In my case, it is a computer named HEPHAESTUS.

You’ll see a magic button to view your recovery key, which can unlock your hard drive if the device is encrypted and a copy of the recovery key has been sent to Microsoft Entra (Azure AD).

If you don’t see the View BitLocker Keys button, it is quite possible that your administrator has already read this post and ruined all the fun by disabling this option.

Default setting risks

Well, I can see the magic button and the keys, but so what? It all depends 🙃

For example, if you have evil intentions and some technical and manual skills, you can remove the disk from your device, plug it into a Kali Linux machine, and accidentally decrypt it to copy your favorite cat memes (the contents of the disk) undetected. You can also add a new local administrator account because your previous one has been taken away by your anoying IT department.

How to change the default configuration

Very simple. Just change the value of the AllowedToReadBitlockerKeysForOwnedDevice setting via Microsoft Graph (CLI) or toggle it in Microsoft Entra admin center (GUI).

The method is up to you 😉

Microsoft Graph - click to expand

Open Windows PowerShell with the Microsoft.Graph module installed, and then do the following:

  1. Connect to the Microsoft Graph service via the Connect-MgGraph command.
    1

    Connect-MgGraph NoWelcome -Scopes Policy.ReadWrite.Authorization
  2. Check the current value of the AllowedToReadBitlockerKeysForOwnedDevice setting.
    1

    Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-List
    Get-MgPolicyAuthorizationPolicy results
  3. Modify the AllowedToReadBitlockerKeysForOwnedDevice setting value from True to False:
    1
2
3

    $RolePermissions = @{}
$RolePermissions["AllowedToReadBitlockerKeysForOwnedDevice"] = $False
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $RolePermissions
    Change AllowedToReadBitlockerKeysForOwnedDevice value
  4. You won’t get a message confirming that the setting has been changed, so it’s worth double-checking that the value has actually been changed.
    1

    Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-List
    Get-MgPolicyAuthorizationPolicy results after changes
  5. Done - now all you have to do is wait for the changes to be applied by Microsoft.

Microsoft Entra admin center - click to expand

Go to Microsoft Entra admin center, and then do the following:

  1. Go to Devices > All devices and select Device settings. Microsoft Entra > Device settings
  2. Locate the Restrict users from recovering the BitLocker key(s) for their owned devices setting and change it from No to Yes. Microsoft Entra > Restrict users from recovering the BitLocker key(s) for their owned devices
  3. Done - now all you have to do is wait for the changes to be applied by Microsoft.

How do we check if our changes are working?

Go back to myaccount.microsoft.com and verify that the View BitLocker Keys button has disappeared.

The button is no longer there, which means it works… or at least that’s what I was going to write, but it turns out that Microsoft recently screwed up and the button no longer disappears…

Fortunately, this is only a visual aspect, because pressing the button produces the following error:

For further confirmation, I checked if I could read the key from recently added option in Company Portal.

Another error, again with the wrong message 🤣

The machine was compliant, and after restoring the default setting for recovery keys visibility in Entra, compliance was not an issue at all…. Well done, Microsoft.

I’m an admin, will I lose access too?

Yes and no… As usual, it depends.

If your administrator roles include permissions to view BitLocker keys, you can still view them by using either myaccount.microsoft.com or the Microsoft Entra admin center. Of course, as an admin, you have access to the recovery keys of all devices, not just those that you own.

The privileges that grant access to BitLocker keys are:

1

microsoft.directory/bitlockerKeys/key/read

For example: Intune Administrator, Security Administrator, or Security Reader have these privileges.

Conclusion

Congratulations! You just increased the number of calls to your helpdesk by 21.37%! What don’t you do to increase security, right?

As a reward for your heroism, enjoy your meme:

Nobody said it would be funny.

See you next time!

PS: Did you know that Microsoft is going to add the ability to create custom emojis to Microsoft Teams this June? Can’t wait for that 🤣

PS2: You can find more memes about Microsoft BitLocker here. The article is really good, by the way.

Additional resources

  1. Device management permissions for Microsoft Entra custom roles
  2. Practical 365 - Connecting to the Microsoft Graph Using the PowerShell SDK
  3. LuemmelSec - Go away BitLocker, you´re drunk