Aug 24 2017 04:12 PM
We have joined two Windows 10 computers to the domain hosted in Azure AD Domain Services. We have encrypted those computers using Bitlocker and have used the manage-bde commands to save the Bitlocker recovery keys in Active Directory. Manage-bde reports that the command was successful. We have a third Windows 10 machine that has the Server 2016 RSAT installed. We login to that machine using an account that is in the AAD DC Administrators group. When we open ADUC and look at the computers that have Bitlocker enabled the Bitlocker tabs are blank. So, either the computers are not able to publish the keys to Azure AD Domain Services or the account we are using simply doesn't have sufficient rights to view the keys. Has anyone else tried to manage Bitlocker keys in this manner with success? Does anyone else have ideas on what we can try to make this work? Thanks.
Aug 28 2017 05:18 PM
SolutionI hate answering my own question on forums, but I did manage to figure it out on my own today. By default, only the Domain Admins group is delegated rights to view BitLocker keys. In Azure AD Domain Services you are only allowed to add accounts to the AAD DC Administrators group and cannot add anyone to the Domain Admins group. AAD DC Administrators doesn't have rights to see Bitlocker keys by default in any OU. So, there are two steps to resolve this.
Step 1 is to create your own OU and move the computers out of the AADDC Computers OU and into the one you just created. You have to do this because you don't have rights to delegate permissions in the AADDC Computers OU, but you can create a new OU at the root of the domain and you will have the ability to delegate permissions on that OU.
Step 2 is to delegate authority on that new OU to allow the AAD DC Administrators group to view Bitlocker recovery keys. I found instructions on this here: https://blog.nextxpert.com/2011/01/11/how-to-delegate-access-to-bitlocker-recovery-information-in-ac...
Essentially, you have to give a user or group Full Access permissions to the msFVE-RecoveryInformation objects using a custom task to delegate. Only then can you view the keys in ADUC.
Aug 28 2017 05:18 PM
SolutionI hate answering my own question on forums, but I did manage to figure it out on my own today. By default, only the Domain Admins group is delegated rights to view BitLocker keys. In Azure AD Domain Services you are only allowed to add accounts to the AAD DC Administrators group and cannot add anyone to the Domain Admins group. AAD DC Administrators doesn't have rights to see Bitlocker keys by default in any OU. So, there are two steps to resolve this.
Step 1 is to create your own OU and move the computers out of the AADDC Computers OU and into the one you just created. You have to do this because you don't have rights to delegate permissions in the AADDC Computers OU, but you can create a new OU at the root of the domain and you will have the ability to delegate permissions on that OU.
Step 2 is to delegate authority on that new OU to allow the AAD DC Administrators group to view Bitlocker recovery keys. I found instructions on this here: https://blog.nextxpert.com/2011/01/11/how-to-delegate-access-to-bitlocker-recovery-information-in-ac...
Essentially, you have to give a user or group Full Access permissions to the msFVE-RecoveryInformation objects using a custom task to delegate. Only then can you view the keys in ADUC.