Managing the TPM and BitLocker in the Enterprise

BitLocker and Active Directory

In a medium or large business setting, management of computers and keys becomes a huge issue. While you might be able to keep track in your head or in an Excel spreadsheet what the recovery passwords are for 10 or even 20 computers, it becomes harder with 100 or 500, and you are in a totally different universe if you manage tens of thousands.

In a Windows network, most administrators rely on Active Directory (now named Active Directory Domain Services in Windows Server "Longhorn") to manage computers and users. BitLocker leverages Active Directory in two ways: by using Group Policy to manage BitLocker options, and by storing recovery information in Active Directory. (Configuring BitLocker with Group Policy is covered later in this chapter.)

The logical place for an enterprise to store the recovery password for BitLocker-protected computers is Active Directory. For each BitLocker-enabled volume, BitLocker will create an object named ms-FVE-RecoveryInformation that stores the BitLocker recovery password and related information. For each computer using BitLocker with a TPM, another object named ms-TPM-OwnerInformation is used to store the TPM password (the TPM password is not normally needed to be used by most users). These objects will be subobjects of the computer object.

BitLocker will automatically create these objects and use Active Directory Domain Services to safeguard the recovery information once you have configured AD DS to do so.

In order to store the recovery password in AD DS you need to:

1. Make sure that all domain controllers (DCs) are running Windows Server 2003 SP1 or newer. All DCs that can be used by BitLocker clients must be at this level.

2. Make sure you have the appropriate permissions in the domains and forest to complete the following steps.

3. Extend the Active Directory schema with the BitLocker object and attribute definitions. (Note: if you have installed a DC running Windows Server "Longhorn," Beta 3, or newer, doing so has already extended the schema.)

4. Set permissions on the schema objects allowing computers to back up their own TPM recovery information. The easiest way to do this is with a script file from Microsoft.

5. Configure a Group Policy object to enable the automatic backup of recovery information. (Group Policy options for BitLocker are discussed later in this chapter.) The two specific settings are:

   • Computer Configuration Administrative Templates Windows Components BitLocker Drive Encryption Turn on BitLocker backup to Active Directory Domain Services

   • Computer Configuration Administrative Templates System Trusted Platform Module Services Turn on TPM backup to Active Directory Domain Services

By the time Windows Vista is available, Microsoft will also publish a detailed guide on how to configure Active Directory Domain Services. It is expected to include any required scripts or schema extension definition files.