Control: 5.1.4.6 Ensure users are restricted from recovering BitLocker keys
Description
This setting determines if users can self-service recover their BitLocker key(s). 'Yes' restricts non-admin users from being able to see the BitLocker key(s) for their owned devices if there are any. 'No' allows all users to recover their BitLocker key(s).
The recommended state is Yes.
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Entra ID>DevicesselectDevice settings. - Set
Restrict users from recovering the BitLocker key(s) for their owned devicestoYes.
To remediate using PowerShell:
- Connect to Microsoft Graph using
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization". - Run the following:
$params = @{defaultUserRolePermissions = @{AllowedToReadBitlockerKeysForOwnedDevice = $false}}Update-MgPolicyAuthorizationPolicy -BodyParameter $params
Default Value
No.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_6 --shareSQL
This control uses a named query:
select tenant_id || '/' || id as resource, case when (default_user_role_permissions -> 'allowedToReadBitlockerKeysForOwnedDevice') is null then 'alarm' when not (default_user_role_permissions -> 'allowedToReadBitlockerKeysForOwnedDevice')::bool then 'ok' else 'alarm' end as status, case when (default_user_role_permissions -> 'allowedToReadBitlockerKeysForOwnedDevice') is null then tenant_id || ' has BitLocker key recovery setting not configured.' when not (default_user_role_permissions -> 'allowedToReadBitlockerKeysForOwnedDevice')::bool then tenant_id || ' has users restricted from recovering BitLocker keys.' else tenant_id || ' has users allowed to recover BitLocker keys.' end as reason , tenant_id as tenant_idfrom azuread_authorization_policy;