Would you like to learn how to delegate access to BitLocker recovery keys in the Active Directory? In this tutorial, we are going to show you how to allow a group of users to read the BitLocker recovery keys on the Active Directory.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 10
• Windows 7

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Windows Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Windows.

Tutorial Windows - Delegate access to BitLocker recovery keys

Open the application named: Active Directory Users and Computers.

Active Directory - Users and Computers

Create a new group.

Active Directory - Create a group

Right-click on the desired organizational unit.

Select the option to Delegate Control.

Active Directory - Delegate Control

Select the desired group.

Active Directory - Delegate Permissions

Select the option to create a custom task.

Windows - Delegate custom task

Select only the object named: MSFVE-RECOVERYINFORMATION.

Bitlocker - Delegate access to recovery keys - MSFVE-RECOVERYINFORMATION

Select the full control permission.

Bitlocker - Delegate recovery key access

Click on the Next button to finish the configuration.

In our example, members of the group named MY-ADMIN will be able to access the Bitlocker recovery keys stored inside the organizational unit named TEST.

Delegation access - Bitlocker recovery key

You will not be able to view the Bitlocker recovery keys in other organizational units.

Congratulations! You are able to delegate permission to access the Bitlocker recovery keys in the Active Directory.