Archive

Archive for September, 2009

UPDATED: BitLocker Recovery Password Viewer and Windows Server 2008 or Vista SP2

22/09/2009 2 comments

Lately I have been working at a deployment project where the customer wanted to enable BitLocker Drive Encryption at all computers with a TPM chip. Doing that is not that big a problem. As always I extended the Active Directory Schema so the clients were able to store the BitLocker Recovery Password in Active Directory.

I’m always using this guide from Microsoft
http://www.microsoft.com/downloads/details.aspx?familyid=3A207915-DFC3-4579-90CD-86AC666F61D4&displaylang=en

1. Extend AD Schema “ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .”

2. Set required permissions using “cscript Add-TPMSelfWriteACE.vbs”

3. Create and link a GPO to the computers OU, setting this:
“Turn on BitLocker backup to Active Directory” =  Enabled (Verify that the Require BitLocker backup to AD DS check box is selected)
”Turn on TPM backup to Active Directory”        =  Enabled (Verify that the Require TPM backup to AD DS check box is selected)

4. Verifying the configurations made using the described tools and procedures in the document

5. Install BitLocker Recovery Password Viewer for Active Directory Users and Computers and register the dll file.
http://www.microsoft.com/downloads/details.aspx?FamilyID=2786fde9-5986-4ed6-8fe4-f88e2492a5bd&displaylang=en&Hash=mOWNFADTKH1Wp6mdULeEN2TfWfnzZjY8JPVp%2fzJwwJ4%2bX1GUBBWaX96E%2fXO%2bM1QeYxbbQFYjYxX1nKcvREB0sA%3d%3d

But I had a problem! I could NOT install the Viewer, it’s NOT supported at Windows Server 2008 Service Pack 2 or Windows Vista Service PAck 2, only Service Pack 1 systems. So creating this new environment using Windows Server 2008 SP2 and Vista SP2 left me with only one option – Install a Windows Vista SP1 (easiest, for me!)

So if you want to view the Recovery keys from a Graphical User Interface you will have to Install either a server running Windows Server 2008 SP1 or a client running Windows Vista SP1 with RSAT tools installed.

I will update this article, when the BitLocker Recovery Password Viewer is supported in a Service Pack 2 environment.

Notices:
When client store the Recovery Password in Active Directory the information send is protected by using kerberos and the keys in Active Directory are protected by ACL’s.
How to use the BitLocker Recovery Password Viewer
http://support.microsoft.com/default.aspx/kb/928202

 

************UPDATE**************

Microsoft has just released KB928202 – Bitlocker Recovery Password Viewer for Windows Server 2008 Service Pack 2 and Windows Vista Service pack 2
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=16088271-f95d-4c5c-9ea9-03746c96ffff

***********************************

Original post:
http://scug.dk/blogs/windowsserver/archive/2009/09/19/bitlocker-recovery-password-viewer-and-windows-server-2008-or-vista-sp2.aspx

Advertisements
Categories: Windows Server

System Center Configuration Manager 2007 R3

Today Microsoft has announced that we will have a R3 (what?) release of System Center Configuration Manager 2007. The R3 version will be ready first quarter 2010.

Read more at the System Center Team blog.
http://blogs.technet.com/systemcenter/archive/2009/09/08/announcing-system-center-configuration-manager-2007-r3.aspx

Categories: ConfigMgr

Trouble with Group Policy Preferences – New rollup hotfix released!

After struggeling with Group Policy Preferences in a Windows Vista SP2 environment lately, my good friend Ronni Pedersen discovered a new Kb yesterday, released 1. September 2009. I hope all my problems will now dissapear. Read more in the Kb.

http://support.microsoft.com/kb/974266

Categories: Group Policy