BitLocker password recovery viewer

Anyone deploying Windows 7 to UNI portable computers should consider installing the Enterprise version (instead of Business which ships with most new Dells — our Microsoft Campus Agreement entitles us to install Enterprise on UNI-owned systems) and enabling full-disk encryption using Microsoft’s Bit Locker.

New-ish hardware will have hardware trusted platform module (TPM) which makes this job trivial (For Dell notebooks, I think anything newer than July 2006 – starting with the Latitude D620 has TPM). 

Install Windows 7 Enterprise, join to Active Directory, and then go into control panel and turn it on (expect a few hours for your disk to be encrypted – during which time the system will be notably slower).

We have automatic escrowing of Bit Locker encryption keys in – so if you do something to the machine (update BIOS, move the hard disk into another computer, etc.) you can find the recover key easily: If you are an OU Administrator for your division/department, the newer Remote Server Assistant Tools have an additional feature selection for "bit locker password recover viewer" which when enabled will display an additional tab on each computer object property.  (Thanks to Nate K. for pointing this out to me, the feature doesn’t work until an Enterprise Admin enables it on at least one domain controller).  If for some odd reason that extra tab bothers you (it displays on all computers, whether you have BL turned on or not) – uncheck the feature for RSAT-Bit Locker Password Recover Viewer and it will be hidden.



Once you enable it – this is what it should look like in Active Directory Users and Computers (ADUC, aka dsa.msc)



If you are wondering who has the ability to see these recovery keys: only Domain Admins can see all computers.  OU Administrators can see the computers insider their OU boundaries.  Standard users can not see any recovery keys, unless you delegate that right (or modify security permissions on those computer objects).

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply