Goto Top

Bitlocker recovery key delegation via Powershell

Hello admins!

In the A better way to delegate control for Bitlocker recovery keys post by @DerWoWusste we've been introduced by the approach that allows to avoid delegating full control to IT Techs who are supposed to be able to find bitocker recovery keys.

I have a question regarding implementation of the same thing but in Powershell.
I work in the education organization that supports 140 schools. One of the MSPs that we're working with services 83 of them.
I need to delegate their (MSP) IT Tech AD group a bitlocker keys read permissions in their corresponding OUs (domain/Resources/<SchoolCode>/Windows Computers)
The closest I found was in TechNet's post that the OP was complaining about as not working.

I have some PS experience in ExchangeOnline (link leads to SpiceWorks O365 related question of mine that I answer myself), but I'm not sure what to start with in this case.
Please nudge me in the right direction.

Content-Key: 1638502270


Printed on: December 4, 2022 at 09:12 o'clock

Member: DerWoWusste
DerWoWusste Dec 20, 2021 at 08:42:25 (UTC)
Goto Top

The confidentiality bit is set using the control access parameter CA.
DSACLS "OU=Test,OU=computers,DC=dom,DC=local" /I:S /G "mydom\helpdesk:CA"
However, testing that, I did not succeed to limit this control access to certain attributes only.
Member: colinardo
Solution colinardo Dec 20, 2021 updated at 15:18:34 (UTC)
Goto Top
Hi @nekku6, welcome to!

If you want create the delegation with pure powershell you can do it like this. This will grant read access, sets the confidentially bit on subordinate msFVE-RecoveryInformation objects for a defined OU and user/group.

As @DerWoWusste already mentioned, restricting the extended right for only the attribute msFVE-RecoveryPassword is not possible, it must be delegated to the whole msFVE-RecoveryInformation object .

Regards @colinardo
Member: DerWoWusste
DerWoWusste Dec 20, 2021 at 13:42:41 (UTC)
Goto Top
I could confirm this to be working!
Member: nekku6
nekku6 Dec 21, 2021 updated at 02:13:27 (UTC)
Goto Top
Hi @colinardo,
Thank you, that worked for me! It gives all sorts of those additional reading rights, but it should be fine.
Although, I still have a quick question for you on how did you find the IDs used in the rule creation. I assume there should be something describing that on like they have for exchange cmdlets' switches, but I'm not sure what to ask for to look it up.

And thank you @DerWoWusste for inspiring me to keep investigating and introducing to this site!

BTW, it took less than 2 seconds compared to what I'd imagine be a tedious whole day clicking face-smile
Just in case anyone who's new to PS reads the article and maybe finds this useful, here's my foreach modification for this script.
Member: colinardo
colinardo Dec 21, 2021 updated at 06:44:56 (UTC)
Goto Top
You can find the GUIDs easly in your AD Schema, for example, for the attributes
Or via GUI by opening adsiedit.msc, and connecting to your schema context.