Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure AD Domain Services and Bitlocker storage

Copper Contributor

We have joined two Windows 10 computers to the domain hosted in Azure AD Domain Services. We have encrypted those computers using Bitlocker and have used the manage-bde commands to save the Bitlocker recovery keys in Active Directory. Manage-bde reports that the command was successful. We have a third Windows 10 machine that has the Server 2016 RSAT installed. We login to that machine using an account that is in the AAD DC Administrators group. When we open ADUC and look at the computers that have Bitlocker enabled the Bitlocker tabs are blank. So, either the computers are not able to publish the keys to Azure AD Domain Services or the account we are using simply doesn't have sufficient rights to view the keys. Has anyone else tried to manage Bitlocker keys in this manner with success? Does anyone else have ideas on what we can try to make this work? Thanks.

1 Reply
best response confirmed by Micah Katke (Copper Contributor)
Solution

I hate answering my own question on forums, but I did manage to figure it out on my own today. By default, only the Domain Admins group is delegated rights to view BitLocker keys. In Azure AD Domain Services you are only allowed to add accounts to the AAD DC Administrators group and cannot add anyone to the Domain Admins group. AAD DC Administrators doesn't have rights to see Bitlocker keys by default in any OU. So, there are two steps to resolve this.

 

Step 1 is to create your own OU and move the computers out of the AADDC Computers OU and into the one you just created. You have to do this because you don't have rights to delegate permissions in the AADDC Computers OU, but you can create a new OU at the root of the domain and you will have the ability to delegate permissions on that OU.

 

Step 2 is to delegate authority on that new OU to allow the AAD DC Administrators group to view Bitlocker recovery keys. I found instructions on this here: https://blog.nextxpert.com/2011/01/11/how-to-delegate-access-to-bitlocker-recovery-information-in-ac... 

 

Essentially, you have to give a user or group Full Access permissions to the msFVE-RecoveryInformation objects using a custom task to delegate. Only then can you view the keys in ADUC.

1 best response

Accepted Solutions
best response confirmed by Micah Katke (Copper Contributor)
Solution

I hate answering my own question on forums, but I did manage to figure it out on my own today. By default, only the Domain Admins group is delegated rights to view BitLocker keys. In Azure AD Domain Services you are only allowed to add accounts to the AAD DC Administrators group and cannot add anyone to the Domain Admins group. AAD DC Administrators doesn't have rights to see Bitlocker keys by default in any OU. So, there are two steps to resolve this.

 

Step 1 is to create your own OU and move the computers out of the AADDC Computers OU and into the one you just created. You have to do this because you don't have rights to delegate permissions in the AADDC Computers OU, but you can create a new OU at the root of the domain and you will have the ability to delegate permissions on that OU.

 

Step 2 is to delegate authority on that new OU to allow the AAD DC Administrators group to view Bitlocker recovery keys. I found instructions on this here: https://blog.nextxpert.com/2011/01/11/how-to-delegate-access-to-bitlocker-recovery-information-in-ac... 

 

Essentially, you have to give a user or group Full Access permissions to the msFVE-RecoveryInformation objects using a custom task to delegate. Only then can you view the keys in ADUC.

View solution in original post