Friday, January 12, 2007 6:10 AM
mika
Guide for Configuring AD to Back up BitLocker and TPM Recovery Information
The above guide is finally available: http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&displaylang=en. Go and get it! The package contains:
- 48 page excellent guide
- LDIF file for extending Windows Server 2003 SP1/R2 schema
- Script for modifying ACLs for computer objects in order to store TPM information and another for listing the permissions
- Script for accessing BitLocker recovery info in AD
- Script for accessing TPM recovery info in AD
According to the document, this schema update is supported for production use.
In addition to the tools within the package, you should also check a versatile manage-bde.wsf script that is included in Vista. Although it is possible to use this script to enable Bitlocker encryption on other partitions apart from boot partition (containing Windows), I wouldn't recommend it since additional steps are required and key recovery is rather complex. http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part1.html includes a concise summary of the steps.
Now if only more manufactures could make updated BIOS versions available in order to use TPM. So far, I've played around with Lenovo Thinkpad T60 (BIOS version 2.06 and 2.07) and it's working perfectly :)
Filed under: Security, Active Directory