Typically I would of thought installing the “BitLocker Drive Encryption” via server manager would of been enough to manage the keys. Well found out my helpdesk staff couldn’t see the keys while using RSAT tools. Thought to myself great, this should be an easy fix. Just delegate view access! Wrong, turns out in addition to delegating, each tech must also install a windows optional feature.
Delegate Access
Lets delegate access for my tech staff (aka helpdesk). On your DC (domain controller) right click the folder for your computers you wish your staff to have access to and select delegate control.
Click next then add..
It would be a good time if you don’t have a AD group to great one. Always deploy with least privilege. Don’t add individuals. Add the individuals to a group, then delegate access to the group.
Select “Create a custom task to delegate“
Now select “Only the following objects in the folder:” and scroll down the list until you find “msFVE-Recovery Information objects“
This typcially goes againts everything you’ve been taught with AD control, but in this instance you’ll need to grant them full control.
That’s it! You AD Group now has the ability’s to view Bitlocker Recovery keys.
Note: Your not done yet! They have access but can’t see it via RSAT.
RSAT Utility to allow delegated users to view BitLocker Recovery Keys.
This is the final step. Each tech must install “RSAT: BitLocker Drive Encryption Administration Utilities” from optional features in Windows 10.
Start > Settings > Apps > and click “Optional Features” in the center.
Click “Add a feature” and search for BitLocker. You should see “RSAT: BitLocker Drive Encryption Administration Utilities. Install it.
Note: If Active Directory Users and Computers was open when you installed the utility, you'll need to close it out and reopen it.
Hope this was helpful!
