How to delegate control for Bitlocker recovery keys in Active Directory


Active Directory (AD) delegation is a critical part of security and compliance. By delegating control overactive directory, you can grant users or groups the permissions they need without adding users to privileged groups like Domain Admins, etc. You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group. To delegate administration by using an OU, place the individual or group to which you are delegating administrative rights into a group, place the set of objects to be controlled into an OU, and then delegate administrative tasks for the OU to that group. Here are some interesting guides: How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to clear, enable or disable TPM in Windows via the BIOS or UEFI, how to clear the TPM via the management console or Windows Defender Center App, how to deploy Microsoft BitLocker Administration and Monitoring Tool, and how to uninstall your current version of MBAM and run setup again.

Active Directory Domain Services (AD DS) enables you to control the administrative tasks that can be delegated at a very detailed level. For example, you can assign one group to have full control of all objects in an OU; assign another group the rights only to create, delete, and manage user accounts in the OU; and then assign the third group the right only to reset user account passwords. You can make these permissions inheritable so that they apply to any OUs that are placed in subtrees of the original OU. Kindly visit this guide to learn more on how to fix the missing BitLocker Recovery Tab in Active Directory Users and Computers, and How to backup existing and new BitLocker recovery keys to Active Directory.

When BitLocker keys are configured to be stored in AD, this requires that BitLocker Drive Encryption Administration Utilities be installed on your device and you MUST be a domain Admin to be able to view these keys or have these rights delegated. In this guide, I will be showing you how to delegate control for the BitLocker recovery keys. Kindly visit these guides s”how to backup existing and new BitLocker recovery keys to Active Directory, and how to backup existing and new BitLocker recovery keys to Active Directory“.

If you want to enable support staff and do not want to assign unnecessary privileges to read out Bitlocker recovery keys, the Delegation of Control Wizard is a pretty good way to go about it. Before proceeding, ensure you have a security group or OU that you wish to delegate these rights are present.

Launch the Server Manager, on the Dashboard, click on AD DS, right-click on the Server as shown below, and click on Active Directory Users and Computers


In ADUC (dsa.msc), right-click on the OU that contains your computer objects and
– Select Delegate Control.
– Click “Next”.

This will open the Delegation of Control wizard. Click on Add.


Add the group you wish to delegate the right to view the BitLocker Recovery Keys. You may want to see this guide for more information “How to backup existing and new BitLocker recovery keys to Active Directory using a simple script“.


– Click “Next” to continue with the configuration


Create a custom task to delegate. Click “Next”.


Only the following objects in the folder: msFVE-REcoveryInformation objects
– Click “Next”.


Click on “Full Control”. Click “Next” to proceed


Click on Finish to complete the configuration. From henceforth, the members of the group we have added will be able to access the Bitlocker recovery keys stored inside the organizational unit named Support Admin.


Note: These rights above will also grant the delegated Support Agents Full control. This means they will be able to not only read these keys but also delete them using the ADSI edit commands. To resolve this issue if you wish, please use the LDP.exe to grant the read right permission. You may want to read on “how to restore deleted user accounts in Active Directory with Microsoft LDP and PowerShell“.

Viewing the BitLocker Recovery Keys

You can use the BitLocker Drive Encryption Administration Utilities. Kindly visit these guides “how to backup existing and new BitLocker recovery keys to Active Directory, and how to backup existing and new BitLocker recovery keys to Active Directory“. This can also be done via PowerShell with the command below.

Get-ADComputer computername | Get-ADObject -pr * | Select-Object distinguishedname, msFVE-REcoveryPassword, whencreated

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x