You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/protect/encrypt-devices.md
+13-2Lines changed: 13 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ keywords:
7
7
author: brenduns
8
8
ms.author: brenduns
9
9
manager: dougeby
10
-
ms.date: 08/09/2021
10
+
ms.date: 11/16/2021
11
11
ms.topic: how-to
12
12
ms.service: microsoft-intune
13
13
ms.subservice: protect
@@ -148,7 +148,9 @@ The BitLocker policy **must not require** use of a startup PIN or startup key. W
148
148
149
149
### View details for recovery keys
150
150
151
-
Intune provides access to the Azure AD blade for BitLocker so you can view BitLocker Key IDs and recovery keys for your Windows 10/11 devices, from within the Microsoft Endpoint Manager admin center. To be accessible, the device must have its keys escrowed to Azure AD.
151
+
Intune provides access to the Azure AD blade for BitLocker so you can view BitLocker Key IDs and recovery keys for your Windows 10/11 devices, from within the Microsoft Endpoint Manager admin center. Support to view recovery keys can also [extend to your tenant-attached devices](#view-recovery-keys-for-tenant-attached devices).
152
+
153
+
To be accessible, the device must have its keys escrowed to Azure AD.
152
154
153
155
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
154
156
@@ -174,6 +176,15 @@ IT admins need to have a specific permission within Azure Active Directory to be
174
176
175
177
All BitLocker recovery key accesses are audited. For more information on Audit Log entries, see [Azure portal audit logs](/azure/active-directory/devices/device-management-azure-portal#audit-logs).
176
178
179
+
### View recovery keys for tenant-attached devices
180
+
181
+
When you’ve configured the tenant attach scenario, Microsoft Endpoint Manager can display recovery key data for tenant attached devices.
182
+
183
+
- To support the display of recovery keys for tenant attached devices, your Configuration Manager sites must run version 2107 or later. For sites that run 2107, you must install an update rollup to support Azure AD joined devices:. See [KB11121541](/configmgr/hotfix/2107/11121541).
184
+
185
+
- To view the recovery keys, your Intune account must have the Intune RBAC permissions to view BitLocker keys, and must be associated with an on-premises user that has the related permissions for Configuration Manager of Collection Role, with Read Permission > Read BitLocker Recovery Key Permission. For more information see [Configure role-based administration for Configuration Manager](/configmgr/core/servers/deploy/configure/configure-role-based-administration).
186
+
187
+
177
188
### Rotate BitLocker recovery keys
178
189
179
190
You can use an Intune device action to remotely rotate the BitLocker recovery key of a device that runs Windows 10 version 1909 or later, and Windows 11.
0 commit comments