Lately I have been working at a deployment project where the customer wanted to enable BitLocker Drive Encryption at all computers with a TPM chip. Doing that is not that big a problem. As always I extended the Active Directory Schema so the clients were able to store the BitLocker Recovery Password in Active Directory.
I’m always using this guide from Microsoft
http://www.microsoft.com/downloads/details.aspx?familyid=3A207915-DFC3-4579-90CD-86AC666F61D4&displaylang=en
1. Extend AD Schema “ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .”
2. Set required permissions using “cscript Add-TPMSelfWriteACE.vbs”
3. Create and link a GPO to the computers OU, setting this:
“Turn on BitLocker backup to Active Directory” = Enabled (Verify that the Require BitLocker backup to AD DS check box is selected)
”Turn on TPM backup to Active Directory” = Enabled (Verify that the Require TPM backup to AD DS check box is selected)
4. Verifying the configurations made using the described tools and procedures in the document
5. Install BitLocker Recovery Password Viewer for Active Directory Users and Computers and register the dll file.
http://www.microsoft.com/downloads/details.aspx?FamilyID=2786fde9-5986-4ed6-8fe4-f88e2492a5bd&displaylang=en&Hash=mOWNFADTKH1Wp6mdULeEN2TfWfnzZjY8JPVp%2fzJwwJ4%2bX1GUBBWaX96E%2fXO%2bM1QeYxbbQFYjYxX1nKcvREB0sA%3d%3d
But I had a problem! I could NOT install the Viewer, it’s NOT supported at Windows Server 2008 Service Pack 2 or Windows Vista Service PAck 2, only Service Pack 1 systems. So creating this new environment using Windows Server 2008 SP2 and Vista SP2 left me with only one option – Install a Windows Vista SP1 (easiest, for me!)
So if you want to view the Recovery keys from a Graphical User Interface you will have to Install either a server running Windows Server 2008 SP1 or a client running Windows Vista SP1 with RSAT tools installed.
I will update this article, when the BitLocker Recovery Password Viewer is supported in a Service Pack 2 environment.
Notices:
When client store the Recovery Password in Active Directory the information send is protected by using kerberos and the keys in Active Directory are protected by ACL’s.
How to use the BitLocker Recovery Password Viewer
http://support.microsoft.com/default.aspx/kb/928202
************UPDATE**************
Microsoft has just released KB928202 – Bitlocker Recovery Password Viewer for Windows Server 2008 Service Pack 2 and Windows Vista Service pack 2
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=16088271-f95d-4c5c-9ea9-03746c96ffff
Posted
02-16-2010 21:52
by
Jens Ole Kragh