Thursday, April 17, 2014

How to Enable BitLocker, Automatically save Keys to Active Directory

When using BitLocker (used for encryption of data on disks) on endpoints the Trusted Platform Module (TPM) chip must be enabled and activated in BIOS. This is disabled by default, so no BitLocker by default when using functionality within ConfigMgr. This is a prerequisite BEFORE running the deployment task sequence. When using BitLocker within ConfigMgr you must select "Configure task sequence for use with BitLocker" during the task sequence wizard. That way the "Pre-provision BitLocker" is added after the "Format and Partition Disk" step. In the end of the task sequence "Enable BitLocker" is added, which saves the BitLocker recovery key in Active Directory Domain Services (ADDS). By default however the recovery key cannot be found in Active Directory. In this blogpost I show you which configuration is needed to find the recovery key.
Logon on your Domain Controller first and look at the Operating System version installed. If you will use a domain controller running Windows Server 2003 with SP1 or SP2, you will need to apply the schema extension to store BitLocker and TPM passwords in Active Directory. This file can be downloaded from the BitLocker and TPM Schema Extension page. If you are running Windows Server 2008 (R2) or 2012 (R2) there's no need to do the schema update. These operating systems already include the necessary schema extensions. Another thing to do is to delegate write permissions on the msTPM-OwnerInformation object to the “SELF” account. Tom Acker has a great article on how to do this on the TechNet blog.  Essentially what you need to do is open the AD Users and Computers MMC, right click the OU where your computers are (or the domain root) and Delegate rights to the SELF account using a “custom task” to only the Computer objects.  You grant General, Property-specific and Create/deletion to the “Write msTPM-OwnerInformation” attribute.

To see the information that is being stored in AD, you need to install the BitLocker Recovery Password Viewer which is a component of Remote Server Administration Tools (RSAT). On your 2008 R2 Domain Controller(s) you simply start the “Add a feature” wizard and navigate to the RSAT/Feature Administration Tools and select the BitLocker Drive Encryption Administration Utilities. For older Operation System version it can be downloaded at Microsoft Download Center too. Once the Viewer has been added (or installed), you can now open the Active Directory Users and Computers MMC and open the Properties page of any computer account to see the BitLocker recovery tab. There you will see all of the Recovery ID’s and Passwords that have been generated for all drives encrypted by that computer. In my case the BitLocker recovery key was available after this simple steps. already When you don't use ConfigMgr for BitLocker activation you can use Group Policy to do the job also. Just have a look at Microsoft TechNet for more information on that. Hope it is useful information!

Source: Enable BitLocker, Automatically save Keys to Active Directory


  1. An alternative to the Bitlocker Recovery Password Viewer is Cobynsoft's AD Bitlocker Password Audit which allows you to view and audit all Bitlocker Recovery Passwords in your Active Directory. In addition it features a searchable and filterable gridview that allows you to quickly see which computer objects have missing keys recovery keys.

  2. Hi Henk, are you familiair with a solution how to run the 'manage-bde'-command to start the encryption process under a non-administrative account?