bitlocker management via ActiveRoles, anyone?

We've switched a couple of times in my tenure between expensive and complex encryption products ... moving from one hot mess to another.

They get the job done, but each baby comes with it's own special formula and brand of diaper.

Now, we're looking at Bitlocker.    I've been asked to provide information on what ActivRoles features are available for managing access to bitlocker information for our helpdesk.  This forum has some posts, but nothing useful written in this century.   Does anyone use bitlocker in their environment -and use ActiveRoles to provide delegated access to host keys etc?   Do you have a link to additional quality information about how/what ARS provides along these lines.

I see the link in the web interface(s) ... and have followed the rabbit trail there, but I'm looking for some reading material.... or advice.


  • Hi,

    We're using this functionality - BitLocker stores the keys in AD and by default AR doesn't allow anybody to see any of that info. I then allow read + list access to the attribute "ms-FVE-RecoveryInformation" which exposes the information in the BitLocker tab of computer objects and allows delegated admins to copy the keys from the object page.

    I combine this access template with access to the LAPS attribute which we use for storing the computer's random/unique local Administrator password. In this way, certain delegated AR service desks can see both the local admin password of a machine and the bitlocker recovery keys. They cannot make any changes to either (that's what the machine does itself, directly in AD). Hope this chelps; cheers,



    Edit: Sorry, have to correct myself here - checked up on our setup and it's slightly different:

    • By default, when someone has permission to "Read all Properties" on all classes, they can see the BitLocker keys as well
    • To hide BitLocker keys for generic staff, I blocked access for all users to all properties for class "ms-FVE-RecoveryInformation" (so it's not an attribute for the computer object!)
    • To allow some people to see the keys, I again allow access to class "ms-FVE-RecoveryInformation"; this is what that allow policy looks like (top 2 values are for LAPS, bottom 2 for BitLocker):

  • Michael -thanks for that feedback. My organization moves at the speed of dirt ... and now that they've approached me about using ARS to enable management of bit locker keys ... so we can dump the more expensive 3rd party solutions - I needed this type of info. Timely. Wish Quest had more of an executive summary of these capabilities to sell internally.  I'm doing a poor job of it.  

  • Hi Michael,

    This is exactly I'm trying to achieve.

    How did you block all other users? I'M asking because using generic groups like Everyone or Domain Users blocks the access even from the intended readers, that are obviously also member of the generic group used for the deny rule.

    Are you applying the rules on the same OU or root level?



  • How to retrieve the Bitlocker information through PowerShell. 

  • The object class for BitLocker info is msFVE-RecoveryInformation and the attributes you might be interested in are msFVE-RecoveryPassword for the password and msFVE-KeyPackage for the related key package.

  • Thanks Richard, I know the attribute details but when i am trying to fetch the computer properties, this is not visible. 

    Any command to get the details or any suggestion please.  

  • The object class is not Computer but msFVE-RecoveryInformation. These attributes do not reside on the Computer object. The parent DN of the msFVE-RecoveryInformation object is the Computer object.

  • Have you tried Get-QADObject with -Type 'msFVE-RecoveryInformation'?

  • it is not working, can you share the complete syntax. 

  • Did a bit more digging and found this article that speaks to a native Powershell command for pulling this information:

    AR doesn't implement any virtual attributes that I can see to show this information so if you want to present the information in the WebUI, you might have to come up with some of your own, for example:


    The BitLocker data is a child object of the Computer Account.  There's not really much there to pull (at least based on the above article) and I would imagine that the 'RecoveryPackage' is probably some kind of binary blob that will be somewhat challenging to manipulate.

    'Hope this helps some.