This tutorial in seven parts describes in detail how to configure Active Directory for BitLocker and gives valuable best practice tips.

You don’t have to go very far to hear a story about a laptop computer being stolen that contained the names and personal information of hundreds, thousands, or even tens of thousands of people. Whether they realize it or not, many organizations have employees that are carrying around company trade secrets or the personal information of employees, contractors, customers, patients, and/or students. In most cases, loss of these devices could have regulatory, legal, monetary, or reputation implications for not only the organization who lost the data, but for those whose personal information was lost.

What about your company’s sensitive data? What would happen if your closest competitor had the laptop of someone from your marketing or sales department and all of the data that resided on it? What if a missing laptop from a doctor at your hospital landed on the desk of a local news reporter? What if a faculty member at your university left a laptop in a coffee shop never to be seen again? These are all very real situations that could happen to your organization if you’re not taking precautions to ensure that data stored on these devices is protected from unauthorized access.

Luckily, Microsoft has a solution available for this very issue: BitLocker Drive Encryption. BitLocker is disk encryption for computers running Windows Vista and 7, Ultimate and Enterprise editions. Unfortunately, BitLocker does not support Windows 7 Business or Windows 7 Professional.) By itself, BitLocker can encrypt the contents of a drive to prevent unauthorized access. But, coupled with Active Directory, BitLocker can be managed with Group Policy and have its recovery information backed up transparently every time a drive is encrypted.

Configure Active Directory to backup BitLocker Recovery information

First, you’ll need to configure Active Directory to store all of your recovery information for your BitLocker encrypted devices. Don’t worry if you’ve already encrypted devices, you can still add this information to AD after you’ve performed the schema update. Just be aware that this information will not be added automatically once you update your AD schema.

To update your AD schema, you’ll need to ensure that all of your Domain Controllers are running Windows Server 2003 SP1 or higher and the account updating your schema must be a Schema Admin or an Enterprise Admin. Bitlocker does not require a minimum functional level for AD, but Microsoft highly recommends making sure that all of your DC’s are running a minimum of Server 2003 with SP1 so that your Bitlocker recovery information is only accessible by authorized users.

If you meet those requirements, download the self-extracting archive, “Configuring AD to Back up BitLocker and TPM Recovery Information.exe,” that contains: Add-TPMSelfWriteACE.vbs, BitLockerTPMSchemaExtension.ldf, List-ACEs.vbs, Get-TPMOwnerInfo.vbs, and Get-BitLockerRecoveryInfo.vbs. Extract the files to a folder on your Domain Controller.

Subscribe to 4sysops newsletter!

In the next post I will describe how to update the Active Directory Schema for BitLocker, write about the ACE settings and Password Recovery Viewer.

  1. Avatar
    Anthony 11 years ago

    Should Microsoft be trusted, given the “Eavesdropping by design” they engineered into Skype when they bought the company. Skype boasts AES 256 bit encryption, but a government, or criminal organisation with government access can now listen comfortably to any Skype conversation. Thanks for the tutorial.

  2. Avatar
    HuffLZW 11 years ago

    Skype’s own design is essentially of a mindboggling backdoor nature – it breaks through firewalls and does all sorts of shenanigans. All the tools to eavesdrop on Skype comms has been developed way before Microsoft’s purchase.

    Afaik, Microsoft was approached by UK Home office in order to implement backdoor in Bitlocker, but Microsoft refused.

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account