BitLocker - non-domain admin abilities to write to AD

SMertz01 21 Reputation points
2021-11-17T18:05:02.48+00:00

Hello,

Working on setting up BitLocker to save the keys to AD, but can't seem to find an answer to my big question. We have non-domain administrators at locations that have been granted delegation rights to their AD OUs. While setting up BitLocker, I created a security group and added these admins to it, delegated them the additional full access rights to msFVE-RecoveryInformation attribute, which gives them rights to see the BitLocker keys in a machine's properties, but can they write the keys to AD when setting up machines?

If they do the command: "manage-bde.exe -on C: -recoverypassword" will the keys be written to AD or does this require domain admin rights?

thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,263 questions
0 comments No comments
{count} votes

Accepted answer
  1. MTG 1,236 Reputation points
    2021-11-18T09:32:14.387+00:00

    Even if a local admin (no domain account, but a local account) encrypts a disk, the recovery key will be written to the computer object in AD, if you just enabled the GPOs to automatically backup the key.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. SMertz01 21 Reputation points
    2021-11-18T13:33:23.95+00:00

    Thanks. Did some additional testing and found that to be true.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.