Part 2 in this series about BitLocker and Active Directory explains how to update the Active Directory Schema, how to configure additional Access Control Entry (ACE) settings, and how to install the BitLocker Password Recovery Viewer.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

If you installed a Domain Controller running Windows Server 2008 Beta 3 or later (Yes, this was taken directly from Microsoft documentation… I hope you didn’t have a DC running a beta product in your production Forest!), the required schema extensions here have already been performed.

Updating the Active Directory Schema for BitLocker ^

You can check to see if the attributes are available by running ASDI Edit and looking for the BitLocker recovery object CN=ms-FVE-RecoveryInformation. This should give you an idea of what you’ll see: Screenshot 1 is a Windows Server 2003R2 SP2 Domain Controller; screenshot 2 is a Windows Server 2008R2 SP2 Domain Controller. As you can see, the Server 2008R2 DC has the required schema extensions and the Server 2003R2 DC does not.
Bitlocker Active Directory -  Windows Server 2003 R2 DC Schema

BitLocker Active Directory -  Windows Server 2003 R2 DC Schema

Bitlocker Active Directory - Windows 2008 R2 DC Schema

BitLocker Active Directory - Windows 2008 R2 DC Schema

Assuming you need a schema update, run the command:

ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=atl,dc=trekker,dc=net" -k -j

Just a few notes since I’ve hit these snags just about every time I’ve done this: first off, you’ll obviously need to change the domain to your domain; make sure you include the fully qualified domain name. Second, leave the DC=X option as is… don’t mess with it. Lastly, don’t miss the trailing period or the command will fail. Assuming everything goes well, you should get a “The command has completed successfully.” Checking in on my Windows Server 2003R2 DC, you’ll see that the schema extensions are now a part of AD:

Bitlocker Active Directory - Windows Server 2003 R2 DC with Schema Update

BitLocker Active Directory - Windows Server 2003 R2 DC with Schema Update

Set ACE for Backing up TPM Information ^

If you want to backup TPM owner information, you’ll need to add an additional access control entry (ACE). To do so, run the following command:

cscript Add-TPMSelfWriteACE.vbs

Hopefully, you’ll get the same success message I got:

Bitlocker Active Directory - ACE Update Success

Bitlocker Active Directory - ACE Update Success

Installing the BitLocker Password Recovery Viewer ^

To view your BitLocker recovery information in Active Directory, you’ll need to install the BitLocker Password Recovery Viewer. The BitLocker Password Recovery Viewer is essentially a plugin for Active Directory Users and Computers that adds an additional tab to any Computer objects’ properties. Like any other feature of Windows Server, the BitLocker Password Recovery Viewer must be turned on in the Server Manager. In the Server Manager, go to Features (in the left hand column), and click on Add Features.

Bitlocker Active Directory - Server Manager Add Feature

BitLocker Active Directory - Server Manager Add Feature

In the Add Features Wizard, scroll down to Remote Server Administration Tools, Feature Administration Tools, BitLocker Drive Encryption Administration Utilities, check BitLocker Recovery Password Viewer, click Next, and click Install.

Bitlocker Active Directory - Add Features Wizard

BitLocker Active Directory - Add Features Wizard

Now, go into Active Directory Users and Computers. Find any computer object and double-click on it to open the Properties. You should now see a BitLocker Recovery tab in the Computer Properties.

Bitlocker Active Directory - ADUC Comp Properties with BitLocker Tab

BitLocker Active Directory - ADUC Comp Properties with BitLocker Tab

Note: The instructions above are for Windows Server 2008 R2. If you are managing your Active Directory with a Windows 7 Workstation, first install the Remote Server Administration Tools (http://www.microsoft.com/download/en/details.aspx?id=7887) if you don’t already have them installed. Next, go to the Control Panel, Program & Features, Turn Windows Features on or off. Scroll down to Remote Server Administration Tools, Feature Administration Tools, check BitLocker Password Recovery Viewer, and click OK to install.

BitLocker Password Recovery Viewer

BitLocker Password Recovery Viewer

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

0
Share
2 Comments
  1. Deb 4 years ago

    very well written, useful information. Thank you!

    0

  2. Ryan 1 year ago

    Where can I download the LDF file?

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account