Q: Does BitLocker Drive Encryption support a recovery method that calls on Active Directory for storing the recovery information?
Windows security, BitLocker Drive Encryption (BDE), Windows Server, Active Directory (AD)
August 15, 2012
A: Yes, BitLocker Drive Encryption (BDE) supports a recovery method whereby the recovery password is automatically stored in Active Directory (AD). The BDE recovery password is a 48-bit numerical key that's generated during BitLocker setup. You can save it to a file, print it, or it can be automatically saved in AD.
If you want to automatically store recovery passwords in AD, you must make sure that all computers can connect to your AD when they enable BitLocker. Storage of BDE recovery information in AD is based on an AD schema extension that creates extra attributes to attach BDE recovery information to AD computer objects. Windows Server 2008 and Windows Server 2008 R2 domain controllers (DCs) include this extension by default. On Windows Server 2003, you must install the BitLocker-specific schema extension, which you can download from the "BitLocker Deployment Sample Resources" page on the MSDN website.
To facilitate the viewing and retrieving of the BDE recovery passwords from AD, Microsoft provides a Microsoft Management Console (MMC) Active Directory Users and Computers snap-in extension. It adds a BitLocker Recovery tab to the properties of the AD computer object that shows all BDE recovery passwords associated with a particular computer. For Windows Server 2008 R2, the BitLocker Active Directory Recovery Password Viewer tool is an optional feature included in the Remote Server Administration Toolkit (RSAT). For Windows Server 2008, this extension can be downloaded from the Microsoft Download Center.
For more information about this topic, you can also look at the Microsoft document titled "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information."
About the Author
You May Also Like