With Enterprises being extra cautious around security, encryption has now become a must on, at least, end user devices. One main product that’s free with Windows, as long as you have the Enterprise or Education edition of Windows 10, is Bitlocker. Bitlocker allows admins to encrypt drives such as internal and external drives with many additional settings. To name a few, these may include:
- A pre-boot key – if the device is stolen it can not be booted unless the key is known
- Different levels of encryption standards
- Levels of encryption to balance encryption time and strength
Many companies will ensure Bitlocker is enabled through the use of there imaging tool or the use of Group Policy. The group policies can be found here in the group policy editor:
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption
One of the steps that is required as part of the Bitlocker process is to ensure a recovery is produced in the case that the unlock key is lost. This key is a 48 digit key so is near to impossible to remember. A handy feature of combining group policy and Bitlocker is that the recovery key can be written to Active Directory which provides a central and secure location. The keys can then be viewed by IT admins if required. The group policy setting to enable key backup to active directory is the following:
Store BitLocker recovery information in Active Directory Domain Services
Before the key can be viewed, a feature must be enabled on all the domain controllers that will be used to view the keys. To install the feature simply follow the ‘Add roles and features’ wizard and select the ‘Bitlocker Recovery Password Viewer’ feature. This does not require a reboot and only takes a few minutes.

Once installed, open ‘Active Directory Users and Computers’ and navigate to the machine which has bitlocker enabled. Open the properties of the machine object and you will notice a new tab is present. Click on the newly created ‘Bitlocker Recovery’ tab


As long as all the needed policies have been enabled and a GPUpdate has occurred there will be an entry under the ‘Bitlocker Recovery Password:’ pane. This is the key that can be used to unlock the drive if the user unlock method is lost.
To take this process one step further, domain admins will already have access to view the recovery keys but any other user will not have permissions to view the protected recovery keys. This permission has to be delegated down through the ‘Delegate Access’ wizard found in ‘AD User and Computers’. To do this follow the below:
- Log into AD Users and Computers
- Make a new Security group called “Bitlocker-Recovery-Admins”
- Add the relevant users to the group
- Navigate to the OU where you want to start the delegation. (The computers must sit in a OU below from starting the delegation)
- Right-click on the OU and select ‘Delegate Control’
- In the ‘Users or Groups’ step enter the newly created ‘Bitlocker-Recovery-Admins’
- In the ‘Tasks to Delegate’ select ‘Create a custom task to delegate’
- In the Active Directory Object Type dialog, select Only the following objects in the folder.
- In the list select msFVE-RecoveryInformation objects and click Next
- For permissions set as ‘Full Control’ and select finish
Now any user in our security group will be able to view the Bitlocker recovery keys.
My Helpdesk folks have Full Control on all computer objects. This includes the Create/Delete msFVE-RecoveryInformation objects. They can see the Bitlocker Recovery tab, but can’t see the contents of that tab. Why doesn’t Full Control of computer objects give them what they need? Do I really have to have a separate delegation for these objects, as well?
Hi Joseph,
You can edit the permissions to give them this access if they haven’t already. Im guessing you’ve checked theirs bitlocker keys in there?