How to Delegate BitLocker Recovery Information in AD (properly) - Step by Step
Updated: Sep 14, 2020
Since Active Directory is a directory, read access to the attributes of the various objects (e.g. computers, users, etc.) is relatively universal for members of the domain. This makes storing sensitive information, such as BitLocker recovery information, a challenge. Microsoft mitigates this by leveraging the confidential flag, which is associated with the Access Control Entry (ACE) of each object in AD. Enabling this flag makes it possible to apply more granular access to sensitive attributes. In essence, the information is hidden unless explicitly delegated.
By default, only Domain Admins can see BitLocker recovery information for computer objects in AD. Clearly this is problematic for organizations that delegate end point support to teams such as Help Desk.
If you Google how to resolve this dilemma, you will find numerous posts that advise to delegate Full Control to BitLocker Recovery Information Objects (msFVE-RecoveryInformation) to the group you wish to delegate. While this solution works, it doesn’t follow the security best practice of “Least Access Privilege”. Users who have been granted Full Control of any object in AD can delete, modify and even change security settings for that object. As BitLocker Recovery Information generally only needs to be read, Full Control is excessive privilege.
If you want to learn how to properly delegate BitLocker Recovery Information, read on…
1. The first thing you will need to delegate these objects is an AD delegation group. A good practice is to create specific security groups for AD delegation. For example:
AD Delegates – User Objects (Full)
AD Delegates – User Objects (Unlock Reset Pwd)
AD Delegates – Computer Objects (Full)
AD Delegates – Group Objects – Folder Groups (Full)
AD Delegates – Group Objects – Distribution Lists (Add/Remove)
AD Delegates – Group Policy Objects (Full)
Etc. Following this naming convention, create a new delegation group, “AD Delegates – BitLocker Objects (Read)”
Normally, the next step would be to delegate access via the Delegation wizard built into ADUC. Unfortunately, this tool does not expose the Access Control Entry’s (ACE’s) as completely as we require. To do this we need to use Ldp.exe, an LDAP client built into Windows.
NOTE: the following operation needs to be completed with Domain Admin credentials
2. From the Start Menu, type ldp.exe and press Enter
The program will look like this when it first opens
3. From the menu, select Connection -> Bind…
4. Select Bind as currently logged on user. If you didn't use a Domain Admin account as noted before step 2, provide provide alternate Domain Admin credentials here or use a Run-As before launching LDP.exe
The tool will attempt to bind to the current domain and present the results in the right window. As you can see in the following picture I have successfully connected as “DEMO\frank”
5. From the menu, select Browse -> Security -> Security Descriptor
This will bring up the following input box
6. Enter the DN of the object, in this case the OU, you want to modify. You can set this to the root of the domain, but better practice is to limit access to the OU where your end point devices are placed.
The next screen will display the Discretionary Access Control List (DACL) for the OU
7. Press Add… and enter the following, substituting your domain name and delegation group name in the Trustee field
8. Press OK to return to the DACL list.
9. Press Add Again… and enter the following, substituting your domain name and delegation group name in the Trustee field:
NOTE: Control Access is the permission that allows the delegated group to see objects flagged as confidential (hidden).
10. Press OK to return to the DACL list.
11. Press Add… and enter the following, substituting your domain name and delegation group name in the Trustee field:
12. Press OK to return to the DACL list.
You will now see three new entries with your delegation group.
13. Press Update
This returns you to the main screen which shows the DACL modification:
Now you can switch back to ADUC to verify the new ACEs have been applied.
14. Right click the OU you applied the delegation to and select Properties
15. Select the Security tab
16. Press Advanced
17. The last step you need to do is add groups of users (e.g. Help Desk) to the “AD Delegates – BitLocker Objects (Read)” group:
NOTE: Users will have to log off and on to pick up the change.
And that's it! If you've followed these steps exactly, you will now have delegated the appropriate permissions to your BitLocker Recovery Information following Microsoft's recommended Least Privilege model.
Need assistance? Contact us with your BitLocker deployment needs!