The Texas Chain Saw Bitlocker Remediations

Last Updated on April 2, 2022 by rudyooms

This blog will be about some proactive remediations and Intune Role Assignments to make sure your service desk can help your users when they need to enter the Bitlocker recovery key and nothing more.

I was inspired to check if I can come up with an idea to solve this problem (until Microsoft comes up with a solution)

What admin role grants permission to view devices’ BitLocker recovery keys? – Microsoft Tech Community

So why not use proactive remediations to report back the Intune Recovery key? You can create a custom Intune role to give your service desk users Proactive remediations read permissions.

Update 31-03-2020: Azure AD RBAC: Custom roles & administrative units for devices now available

Of course, you could still use the Awesome Proactive Remediations, so let us continue!

I will divide this blog into 3 parts:

1.Configuring the Pro Active Remediations

2.Configuring the Intune mgt Role

3. Results

1.Configuring Pro Active remediations:

First, download the scripts. The zip contains the Detection and Remediation scripts.

Now we have the scripts, let’s start creating a new proactive remediation.

And select the detection and remediation script from the zip file you downloaded.

2.Configuring the Intune Mgt Role

So why do we need Role-based access control (RBAC)? RBAC helps you manage who has access to your organization’s resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.

After we know what we can do with RBAC we are going to create an additional Intune Role. But before we do, make sure you have already created a group with the service desk users in it, who need to have access to the BitLocker recovery key report.

But which permissions are needed to make sure the user could access the Proactive remediations report? Let’s take a look at what Microsoft has to say.

These are the permissions needed:

Don’t forget to assign this role to the service desk group you created earlier.

3. Testing it and the results

While testing this idea, I also solved the problem when for some reason Bitlocker failed to encrypt the device and it is tried multiple times. A good example would be if you haven’t removed your USB installation media after the installation.

You can be sure the Proactive remediations will try to activate BitLocker each hour. So I didn’t remove the iso after the installation and rebooted a couple of times before I removed the removable media.

The pro-active remediations also tried to kick in.

In English: It detected removable media you need to remove it and reboot the device.

And now we need to wait an hour before the proactive remediations try to detect and remediate when necessary….

And after an hour, the detection script was executed. Let’s open the Microsoft intune management log first before we continue.


And of course, because the detection script was exited with the status code 1 it will start to remediate the problem.


Now the problem was remediated successfully it started encrypting the device.


First, let’s check as a global admin if we can get some detection results. As also shown in my last blog, you will need to add some columns otherwise you will not see the results.

And yes… we can retrieve the BitLocker recovery key as admin!

Now we are going to do the same test but this time as a normal user with the assigned Intune role we created earlier. As shown below… you can make sure the BitLocker recovery key can be extracted from intune with RBAC configured.


As shown above… You can create a dedicated Intune role for your service desk to get back those BitLocker recovery keys when your users need them. Let’s get a drink and start using  proactive remediations for everything  

2 thoughts on “The Texas Chain Saw Bitlocker Remediations

  1. Hello,

    Thanks for the article, I’m plaining to implement this solution to grant L1 support team access on the BitLocker keys, Just want to ask if any new solution you found for this request or should I follow this approach.

    Many Thanks for your help.

    1. Hi… I updated the blog as 31-03-2020 the long arrived rbac custom roles were released!

Leave a Reply

Your email address will not be published.

  +  3  =  6