How to delegate access to BitLocker recovery passwords in AD

In order for Casper Secure Tech Edition to unlock BitLocker volumes using AD DS, the user must have access to the ms-FVE-RecoveryInformation object within AD where the BitLocker recovery password(s) are stored. Domain Administrators have access to ms-FVE-RecoveryInformation objects by default. Other users must be delegated access.

Domain administrators can delegate access to the ms-FVE-RecoveryInformation object within AD as follows:

Create a new Security Group in AD (e.g., "BitLocker Admins")
  1. Start Active Directory Users and Computers
  2. Right-click Users and select New -> Group
  3. Enter the desired group name (e.g., "BitLocker Admins") and select Security for the group type.
  4. Group name: BitLocker Admins Group scope: Global Group type: Security
Grant control access and read property permissions to the new Security Group ("BitLocker Admins")
  1. Download and extract the DelegateBitLockerRecovery.vbs script 
  2. Edit the DelegateBitLockerRecovery.vbs script and change strGroupName to the group created above (e.g., srGroupName="DOMAIN\BitLocker Admins")
  3. Open a command prompt as administrator and run the DelegateBitLocker.vbs script:
    cscript DelegateBitLocker.vbs
  4. Start WmiMgmt (wmimgmt.msc)
  5. Connect to the remote computer that represents the Primary Domain Controller for the domain (e.g., "DC1")
  6. Right-click on WMI Control and select Properties to open the WMI Control (DC1) Properties dialog.
  7. On the Security tab, navigate to and select the Root\directory\LDAP node
  8. Click Security
  9. Click Add
  10. Type the name of the group created above (e.g., "BitLocker Admins") and click OK
  11. Under the Allow column, check Execute Methods, Enable Account, and Remote Enable
  12. Click OK to apply the new permissions and close the Security for ROOT\directory\LDAP dialog
  • Casper Secure Tech Edition

Add Feedback