AD Delegation – Access to Bitlocker Recovery keys

Here is the process to create a custom delegation to allow users (other than Domain Admins) to access Bitlocker Recovery keys.

  1. Log into AD Users and Computers
  2. Make a new Security group called “deleg-computer-bitlockerrecovery”
  3. Add the relevant users to the group
  4. Navigate to the OU where you want to start the delegation.
  5. Right-click on the OU and select ‘Delegate Control’
  6. In the ‘Users or Groups’ step enter the newly created “deleg-computer-bitlockerrecovery”
  7. In the ‘Tasks to Delegate’ select ‘Create a custom task to delegate’
  8. In the Active Directory Object Type dialog, select Only the following objects in the folder.
  9. In the list select msFVE-RecoveryInformation objects and click Next
  10. For permissions set as ‘Full Control’ and select finish

Source: https://blog.michaellecomber.info/2019/05/05/ad-delegate-access-to-view-bitlocker-recovery-keys/


PDF pageEmail pagePrint page

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.