Active Directory and BitLocker – Part 1: Introduction

• Author
• Recent Posts

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Latest posts by Kyle Beckman (see all)

• Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
• Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
• Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016

You don’t have to go very far to hear a story about a laptop computer being stolen that contained the names and personal information of hundreds, thousands, or even tens of thousands of people. Whether they realize it or not, many organizations have employees that are carrying around company trade secrets or the personal information of employees, contractors, customers, patients, and/or students. In most cases, loss of these devices could have regulatory, legal, monetary, or reputation implications for not only the organization who lost the data, but for those whose personal information was lost.

What about your company’s sensitive data? What would happen if your closest competitor had the laptop of someone from your marketing or sales department and all of the data that resided on it? What if a missing laptop from a doctor at your hospital landed on the desk of a local news reporter? What if a faculty member at your university left a laptop in a coffee shop never to be seen again? These are all very real situations that could happen to your organization if you’re not taking precautions to ensure that data stored on these devices is protected from unauthorized access.

Luckily, Microsoft has a solution available for this very issue: BitLocker Drive Encryption. BitLocker is disk encryption for computers running Windows Vista and 7, Ultimate and Enterprise editions. Unfortunately, BitLocker does not support Windows 7 Business or Windows 7 Professional.) By itself, BitLocker can encrypt the contents of a drive to prevent unauthorized access. But, coupled with Active Directory, BitLocker can be managed with Group Policy and have its recovery information backed up transparently every time a drive is encrypted.

Configure Active Directory to backup BitLocker Recovery information

First, you’ll need to configure Active Directory to store all of your recovery information for your BitLocker encrypted devices. Don’t worry if you’ve already encrypted devices, you can still add this information to AD after you’ve performed the schema update. Just be aware that this information will not be added automatically once you update your AD schema.

To update your AD schema, you’ll need to ensure that all of your Domain Controllers are running Windows Server 2003 SP1 or higher and the account updating your schema must be a Schema Admin or an Enterprise Admin. Bitlocker does not require a minimum functional level for AD, but Microsoft highly recommends making sure that all of your DC’s are running a minimum of Server 2003 with SP1 so that your Bitlocker recovery information is only accessible by authorized users.

If you meet those requirements, download the self-extracting archive, “Configuring AD to Back up BitLocker and TPM Recovery Information.exe,” that contains: Add-TPMSelfWriteACE.vbs, BitLockerTPMSchemaExtension.ldf, List-ACEs.vbs, Get-TPMOwnerInfo.vbs, and Get-BitLockerRecoveryInfo.vbs. Extract the files to a folder on your Domain Controller.

In the next post I will describe how to update the Active Directory Schema for BitLocker, write about the ACE settings and Password Recovery Viewer.