Modern Device Management

In my line of work, I have to work with all kind of devices spread across multiple OS platforms. Now when it comes to building and testing a configuration on Windows endpoints, I would normally use a physical device or in absence of it, I will turn to a virtual setup involving a Windows 10\11 VM or most recently a Cloud PC. For sometime now, I have been hosting the Windows 10\11 VM in a Hyper-V installed on a Windows 10 Azure VM enabled & configured for nested virtualization. While this got the job done, it couldn't really match the performance of what Hyper-V running on Windows Server OS could deliver. I recently setup a new test tenant and used it as an opportunity to cleanup and introduce some new configurations. I decided to setup a Windows Server 2022 OS VM and installed Hyper-V on it then created the guest Windows 11 VM inside it. While I followed the usual steps of putting the configuration together like I did before, I did encounter some issues and learnt some new thing...

Majority of organizations will allow end users to retrieve the BitLocker recovery key through self service. While this certainly eases the manageability and cuts down on support calls, the question to ask here is whether it is secure or not. To answer that, let me play out a scenario first. Let's say a bad actor has got access to a company device and is able to initiate a reboot into advance startup. Now a device that is encrypted with BitLocker protection, will be presented with the screen to enter the recovery key. At this stage one can retrieve the recovery key either through self service portal like https://account.microsoft.com/devices/recoverykey or reach out to service desk. Now what if the attacker has been successful in stealing the credentials of the owner of the device? In the absence of necessary security policies in place, the attacker can retrieve the recovery key from https://account.microsoft.com/devices/recoverykey, or even Entra admin portals by themselves if allo...