Delegate Access for BitLocker Recovery Keys in AD

Typically I would of thought installing the “BitLocker Drive Encryption” via server manager would of been enough to manage the keys. Well found out my helpdesk staff couldn’t see the keys while using RSAT tools. Thought to myself great, this should be an easy fix. Just delegate view access! Wrong, turns out in addition to delegating, each tech must also install a windows optional feature.

Delegate Access

Lets delegate access for my tech staff (aka helpdesk). On your DC (domain controller) right click the folder for your computers you wish your staff to have access to and select delegate control.

Select the OU you with to delegate access to

Click next then add..

It would be a good time if you don’t have a AD group to great one. Always deploy with least privilege. Don’t add individuals. Add the individuals to a group, then delegate access to the group.

Adding TECH-STAFF group

Select “Create a custom task to delegate

Select Create a custom task to delegate

Now select “Only the following objects in the folder:” and scroll down the list until you find “msFVE-Recovery Information objects

msFVE-Recovery Information objects

This typcially goes againts everything you’ve been taught with AD control, but in this instance you’ll need to grant them full control.

Be sure to check full control

That’s it! You AD Group now has the ability’s to view Bitlocker Recovery keys.

Note: Your not done yet! They have access but can’t see it via RSAT.

RSAT Utility to allow delegated users to view BitLocker Recovery Keys.

This is the final step. Each tech must install “RSAT: BitLocker Drive Encryption Administration Utilities” from optional features in Windows 10.

Start > Settings > Apps > and click “Optional Features” in the center.

Click “Add a feature” and search for BitLocker. You should see “RSAT: BitLocker Drive Encryption Administration Utilities. Install it.

RSAT BitLocker Utility Installed
Note: If Active Directory Users and Computers was open when you installed the utility, you'll need to close it out and reopen it. 
RSAT now showing BitLocker Recovery using a member of the TECH-STAFF group we delegated access to. (Non Domain Admin)

Hope this was helpful!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top