The Texas Chain Saw Bitlocker Remediations

The Texas Chain Saw Bitlocker Remediations

This blog will be about some pro-active remediations and Intune Role Assignments to make sure your service desk can help your users when they need to enter the Bitlocker recovery key and nothing more.

I was inspired to check if I can come up with an idea to solve this problem (until Microsoft comes up with a solution)

What admin role grans permission to view devices’ bitlocker recovery keys? – Microsoft Tech Community

So why not using proactive remediations to report back the Intune Recovery key? You can create a custom Intune role to give your service desk users Proactive remediations read permissions..

I will divide this blog in 3 parts:

1.Configuring the Pro Active Remediations

2.Configuring the Intune mgt Role

3.Testing it

1.Configuring Pro Active remediations:

First download the scripts. The zip contains the Detection and Remediation scripts.

https://call4cloud.nl/wp-content/uploads/2021/05/BitlockerRecoveryKey.zip

Now we have the scripts, let’s start creating a new pro active remediation.

And select the detection and remediation script from the zip file you downloaded.

2.Configuring the Intune Mgt Role

So why do we need Role-based access control (RBAC)? RBAC helps you manage who has access to your organization’s resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.

After we know what we can do with RBAC we are going to create an additional Intune Role. But before we do, make sure you have already created a group with the service desk users in it, who need to have access to the bitlocker recovery key report.

But which permissions are needed to make sure the user could access the Pro active remediations report? Let’s take a look at what Microsoft has to say.

These are the permissions needed:

Don’t forget to assign this role to the service desk group you created earlier.

3. Testing it and the results

While testing this idea, I also solved the problem when for some reason Bitlocker failed to encrypt the device and it is tried multiple times. A good example would be if you haven’t removed your usb installation media after the installation.

You can be sure the Pro active remediations will try to activate bitlocker each hour. So I didn’t removed the iso after the installation and rebooted a couple of times before I removed the removable media.

The pro-active remediations also tried to kick in.

In English: It detected removable media you need to remove it and reboot the device.

And now we need to wait an hour before the pro active remediations tries to detect and remediate when necessary….

And after an hour, the detection script was executed. Let’s open the microsoft intune management log first before we continue.

Detection

And of course, because the detection script was exited with the status code 1 it will start to remediate the problem.

Remediation:

Now the problem was remediated successfully it started encrypting the device.

Results:

First lets check as a global admin if we can get some detection results. Like also shown in my last blog , you will need to add some columns otherwise you will not see the results.

And yes… we can retrieve the bitlocker recovery key as admin!

Now we are going to do the same test but this time as a normal user with the assigned Intune role we created earlier.

Conclusion:

As shown above… You can create a dedicated Intune role for your service desk to get back those BitLocker recovery keys when your users need them. Let’s get a drink and start using  proactive remediations for everything  

Leave a Reply

Your email address will not be published. Required fields are marked *

5  +  1  =