Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information

Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information

Microsoft Corporation

Published: December 2006

AbstractWindows® BitLocker™ Drive Encryption (BitLocker) is a new feature in the

Windows Vista™ and Microsoft® Windows Server® Code Name "Longhorn" operating

systems that provides better offline data protection for your computer. This feature is

enhanced by the use of a Trusted Platform Module (TPM).

This guide includes requirements and procedures for configuring Active Directory® in

Microsoft Windows Server® 2003 to support the recovery of information protected by

BitLocker, with or without the use of a TPM.

Information in this document, including URL and other Internet Web site references, is

subject to change without notice. Unless otherwise noted, the example companies,

organizations, products, domain names, e-mail addresses, logos, people, places, and

events depicted herein are fictitious, and no association with any real company,

organization, product, domain name, e-mail address, logo, person, place, or event is

intended or should be inferred. Complying with all applicable copyright laws is the

responsibility of the user. Without limiting the rights under copyright, no part of this

document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying,

recording, or otherwise), or for any purpose, without the express written permission of

Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as expressly

provided in any written license agreement from Microsoft, the furnishing of this document

does not give you any license to these patents, trademarks, copyrights, or other

intellectual property.

© 2006 Microsoft Corporation. All rights reserved.

Active Directory, BitLocker, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows,

Windows NT, Windows Server, and Windows Vista are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks

of their respective owners.

Contents

Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted

Platform Module Recovery Information...........................................................................5

Overview......................................................................................................................... 5

Required files..............................................................................................................6

Background....................................................................................................................6

Storage of BitLocker recovery information in Active Directory.....................................7

Storage of TPM recovery information in Active Directory............................................8

Configuring Active Directory...........................................................................................8

Check general prerequisites........................................................................................8

Extend the schema......................................................................................................9

Set the required permissions for backing up TPM password information..................11

Configure Group Policy to enable backup of BitLocker and TPM recovery information

in Active Directory..................................................................................................12

Testing Your Active Directory Configuration..................................................................13

Testing backup with Windows Vista...........................................................................13

Sample test scenario with Windows Vista.................................................................14

Troubleshooting Common Problems............................................................................16

Access permission problems.....................................................................................16

Script errors...............................................................................................................16

Get-TPMOwnerInfo.vbs.........................................................................................16

General..................................................................................................................17

Questions and Answers................................................................................................17

Is this schema part of Windows Server "Longhorn"?.............................................17

Can I apply the schema update to a Windows Server 2003-based domain

controller?...........................................................................................................17

Is this schema supported by Microsoft for production use?...................................17

Is there an event log entry recorded on the client to indicate the success or failure

of the Active Directory backup?..........................................................................17

What if BitLocker is enabled on a computer before the computer has joined the

domain?..............................................................................................................18

What happens if the backup initially fails? Will BitLocker retry?.............................18

Does BitLocker encrypt recovery information as it is sent to Active Directory?......19

Appendix A: Checking BitLocker and TPM Schema Objects...........................................19

Appendix B: Sample Ldifde output...................................................................................20

Sample Output..............................................................................................................21

Appendix C: Default Permissions for a Computer Object................................................24

Appendix D: BitLockerTPMSchemaExtension.ldf File Contents......................................25

File contents.................................................................................................................25

Appendix E: Add-TPMSelfWriteACE.vbs File Contents...................................................32

File contents.................................................................................................................32

Appendix F: Sample Test Scripts.....................................................................................35

List-ACEs.vbs...............................................................................................................35

File contents..............................................................................................................35

Get-TPMOwnerInfo.vbs................................................................................................40

File contents..............................................................................................................40

Get-BitLockerRecoveryInfo.vbs....................................................................................43

File contents..............................................................................................................44

Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information

OverviewThis document describes how to configure Active Directory® to back up recovery

information for Windows® BitLocker™ Drive Encryption (BitLocker) and the Trusted

Platform Module (TPM). Recovery information includes the recovery password for each

BitLocker-enabled volume, the TPM owner password, and the information required to

identify which computers and volumes the recovery information applies to. Optionally, you

can also save a package containing the actual keys used to encrypt the data as well as

the recovery password required to access those keys.

Note

Active Directory is known as Active Directory Domain Services in Microsoft®

Windows Server® Code Name "Longhorn".

Backing up recovery passwords for a BitLocker-protected disk volume allows

administrators to recover the volume if it is locked. This ensures that encrypted data

belonging to the enterprise can always be accessed by authorized users.

Backing up the TPM owner information for a computer allows administrators to locally

and remotely configure the TPM security hardware on that computer. As an example, an

administrator might want to reset the TPM to factory defaults when decommissioning or

repurposing computers.

Important

You can save recovery information in Active Directory if your domain controllers

are running Microsoft® Windows Server® 2003 with Service Pack 1 (SP1),

Windows Server 2003 R2, or Windows Server "Longhorn". You cannot save

recovery information in Active Directory if the domain controller is running a

version of Windows Server earlier than Windows Server 2003 with SP1.

If you are testing a pre-release version of Windows Server "Longhorn", follow the same

process described for Windows Server 2003 with SP1 or later, with one exception: if you

5

have installed the Beta 3 release of Windows Server "Longhorn" or newer, you do not

need to update the schema as described later in this document.

Important

Perform these steps in a test or pre-production environment prior to rolling out to

production environments.

Required filesThe following sample scripts and LDF file available from Microsoft are required to

configure Active Directory for backing up recovery information:

Add-TPMSelfWriteACE.vbs

BitLockerTPMSchemaExtension.ldf

List-ACEs.vbs

Get-TPMOwnerInfo.vbs

Get-BitLockerRecoveryInfo.vbs

To download the files, see http://go.microsoft.com/fwlink/?LinkId=78953. The contents of

these files and other useful information are included in the following appendices:

Appendix A: Checking BitLocker and TPM Schema Objects

Appendix B: Sample Ldifde output

Appendix C: Default Permissions for a Computer Object

Appendix D: BitLockerTPMSchemaExtension.ldf File Contents

Appendix E: Add-TPMSelfWriteACE.vbs File Contents

Appendix F: Sample Test Scripts

Note

If you tested a pre-release or beta version of Windows Vista, and configured your

Active Directory installation with earlier versions of the scripts or schema

extensions, you must use ensure that you use the final, released versions of

these files. In addition, if you ran an earlier version of List-ACEs.vbs, you must

remove the previously-added BitLocker-related access control entries (ACEs)

before proceeding.

BackgroundThis section provides information about how BitLocker and TPM recovery information can

be backed up in Active Directory.

6

http://go.microsoft.com/fwlink/?LinkId=78953

By default, no recovery information is backed up. Administrators can configure Group

Policy settings to enable backup of BitLocker or TPM recovery information. Before

configuring these settings, as a domain administrator you must ensure that the Active

Directory schema has been extended with the necessary storage locations and that

access permissions have been granted to perform the backup.

You should also configure Active Directory before configuring BitLocker on client

computers. If BitLocker is enabled first, recovery information for those computers will not

be added to Active Directory. For more information, see the section Questions and

Answers later in this document.

Storage of BitLocker recovery information in Active DirectoryBacked up BitLocker recovery information is stored in a child object of the Computer

object. That is, the Computer object is the container for a BitLocker recovery object.

Each BitLocker recovery object includes the recovery password and other recovery

information. More than one BitLocker recovery object can exist under each Computer

object, because there can be more than one recovery password associated with a

BitLocker-enabled volume.

The name of the BitLocker recovery object incorporates a globally unique identifier

(GUID) and date and time information, for a fixed length of 63 characters. The form is:

<Object Creation Date and Time><Recovery GUID>

For example:

2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}

The common name (cn) for the BitLocker recovery object is ms-FVE-

RecoveryInformation. Each ms-FVE-RecoveryInformation object has the following

attributes:

ms-FVE-RecoveryPassword

This attribute contains the 48-digit recovery password used to recover a BitLocker-

encrypted disk volume. Users enter this password to unlock a volume when BitLocker

enters recovery mode.

ms-FVE-RecoveryGuid

This attribute contains the GUID associated with a BitLocker recovery password. In

BitLocker's recovery mode, this GUID is displayed to the user so that the correct

recovery password can be located to unlock the volume. This GUID is also included

in the name of the recovery object.

ms-FVE-VolumeGuid

This attribute contains the GUID associated with a BitLocker-supported disk volume.

7

While the password (stored in ms-FVE-RecoveryGuid) is unique for each recovery

password, this volume identifier is unique for each BitLocker-encrypted volume.

ms-FVE-KeyPackage

This attribute contains a volume's BitLocker encryption key secured by the

corresponding recovery password.

With this key package and the recovery password (stored in ms-FVE-

RecoveryPassword), you can decrypt portions of a BitLocker-protected volume if the

disk is corrupted. Each key package will work only for a volume that has the

corresponding volume identifier (stored in ms-FVE-VolumeGuid). You must use a

specialized tool to make use of this key package.

If you tested BitLocker and Windows Vista prior to its release, you should note the

following changes that were made to the attributes of the recovery object since pre-

release or beta versions of Windows Vista:

GUIDs added to the global catalog to facilitate forest-wide searches

(isMemberOfPartialAttributeSet)

Use of the confidential bit for GUID attributes (bit 128 of searchFlags) removed

Size of each attribute restricted to minimize replication slowdowns in the case of a

flooding attack on the Active Directory database (rangeUpper)

Updated attribute descriptions for clarity (adminDescription)

Additional bit set to save attribute values when creating copies of objects (bit 16 of

searchFlags)

Additional bit set to create a per-container index for GUID attributes (bit 2 of

searchFlags).

For more details about attribute syntax, see the schema extension file in Appendix D:

BitLockerTPMSchemaExtension.ldf File Contents.

Storage of TPM recovery information in Active DirectoryThere is only one TPM owner password per computer. When the TPM is initialized or

when this password is changed, the hash of the TPM ownership password gets backed

up as an attribute of the Computer object.

The common name (cn) for the TPM attribute is ms-TPM-OwnerInformation.

Configuring Active DirectoryComplete the following tasks to configure Active Directory to back up BitLocker and TPM

recovery information.

8

Check general prerequisitesCheck the following prerequisites:

1. All domain controllers accessible by BitLocker-capable clients are running Windows

Server 2003 with SP1 or later. On each domain controller, click Start, right-click My

Computer, and then click the General tab.

Important

If the General tab lists Windows Server 2003 but no service pack

information, you need to upgrade. For more information about upgrading to

Windows Server 2003 with SP1, see http://go.microsoft.com/fwlink/?

LinkID=43106.

Important

The use of domain controllers running Windows Server 2000 or Windows

Server 2003 without SP1 to back up BitLocker or TPM recovery information

has not been tested and is not supported. Furthermore, these earlier

operating systems lack the Active Directory confidential flag feature used to

protect access to BitLocker and TPM recovery information.

The confidential flag is a feature available in Windows Server 2003 with SP1 and later.

With this feature, only domain administrators and appropriate delegates have Read

access to attributes marked with the confidential flag. The BitLocker and TPM schema

extension marks selected attributes as "confidential" using the "searchFlags" property.

For more information about this flag, see "How the Active Directory Schema Works" at .

BitLocker does not impose any requirements on domain or forest functional levels.

However, domain controllers running operating systems earlier than Windows

Server 2003 with SP1 should be removed from mixed-functional level environments (or

upgraded), because backed up BitLocker and TPM information will not be protected on

those domain controllers.

2. You have domain administrator privileges for the target forest.

3. You have obtained the following files:

BitLockerTPMSchemaExtension.ldf

Add-TPMSelfWriteACE.vbs

Extend the schemaThe following procedure extends the schema to allow information to be saved in Active

Directory.

9

http://go.microsoft.com/fwlink/?LinkID=43106


If you have installed a domain controller running Windows Server "Longhorn" Beta 3 or

later, doing so has automatically performed the required extensions to the schema, and

you do not need to complete this procedure.

If you have installed a domain controller running Windows Server "Longhorn" Beta 2, you

must upgrade the schema to sch39 or later, or complete the following procedure.

To extend the Active Directory schema with BitLocker and TPM attributes

1. Log on with a domain account in the Schema Admins group. This account must

be used to extend the schema.

By default, the built-in Administrator account in the forest root domain is part of

the Schema Admins group. For more information, see the section "Granting

access rights to make schema changes" in "How the Active Directory Schema

Works" (http://go.microsoft.com/fwlink/?LinkID=79649).

2. Check that your Windows Server installation enables schema updates.

In Windows Server 2003, Active Directory schema updates are enabled by

default. For more information, including the steps required to enable schema

updates, see article 285172 in the Microsoft Knowledge Base

(http://go.microsoft.com/fwlink/?LinkId=79644).

3. Check that you have access to the domain controller that is the schema

operations master in the Active Directory forest. Schema updates can only be

performed at the schema operations master.

4. Review BitLockerTPMSchemaExtension.ldf, the LDIF file containing the schema

extension.

For background information about changes made by the schema extension, see

Background earlier in this document.

For reference information about schema extensions, see "How the Active

Directory Schema Works" (http://go.microsoft.com/fwlink/?LinkId=79649).

5. Use the Lidfde command-line tool to extend the schema on the domain controller

that serves as the schema operations master. For example, to import the schema

extension on a domain named nttest.microsoft.com, log on as a user in the

Schema Admins group, and then type the following at a command prompt:

ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X"

"DC=nttest,dc=microsoft,dc=com" -k -j .

This command should be entered as one line, although it is displayed on multiple

lines for readability in this document. The trailing period (".") is part of the

command.

The use of -k suppresses "Object Already Exists" errors if the portions of the

10




schema already exist. The use of -j . saves an extended log file to the current

working directory.

For more information about Lidfde parameters, see article 237677 in the Microsoft

Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79650). Sample output from

running this command is included in Appendix B: Sample Ldifde output later in this

document.

Set the required permissions for backing up TPM password informationThe following procedure adds an access control entry (ACE) so that backing up TPM

recovery information is possible.

A Windows Vista client can back up BitLocker recovery information under the Computer

object’s default permission. However, a Windows Vista client cannot back up TPM owner

information unless this additional ACE is added.

Appendix C: Default Permissions for a Computer Object, later in this document,

describes the default Active Directory permissions on the Computer class object that

contains the BitLocker recovery information class and the TPM owner information

attribute.

To add an ACE to allow TPM recovery information to be backed up

1. Review Add-TPMSelfWriteACE.vbs, the sample script containing the permission

extension.

2. Type the following at a command prompt, and then press ENTER:

cscript Add-TPMSelfWriteACE.vbs

This script adds a single ACE to the top-level domain object. The ACE is an inheritable

permission that allows SELF (the computer itself) to write to the ms-TPM-

OwnerInformation attribute for Computer objects in the domain.

For additional reference information, see "Using Scripts to Manage Active Directory

Security" (http://go.microsoft.com/fwlink/?LinkId=79652).

The sample script provided operates under the following assumptions:

You have domain administrator privileges to set permissions for the top-level domain

object.

Your target domain is the same as the domain for the user account running the script.

For example, running the script as TESTDOMAIN\admin will extend permissions for

TESTDOMAIN. You might need to modify the sample script if you want to set

permissions for multiple domains, but do not have domain administrator accounts for

11



each of those domains. Find the variable strPathToDomain in the script and modify it

for your target domain, for example:

"LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com"

Your domain is configured so that permissions inherit from the top-level domain

object to targeted Computer objects.

Permissions will not go into effect if any container in the hierarchy does not allow

inherited permissions from the parent. By default, inheritance of permissions is set by

Active Directory. If you are not sure whether your configuration differs from this

default, you can continue with the setup steps to set the permission. You can then

verify your configuration as described later in this document, or by clicking the

Effective Permissions button while viewing the properties of a Computer object to

check that SELF can write the msTPM-OwnerInformation attribute.

Configure Group Policy to enable backup of BitLocker and TPM recovery information in Active DirectoryThese instructions are for configuring the local policy on a Windows Vista client

computer. In a production environment, you would likely edit a Group Policy object (GPO)

that applies to computers in the domain instead.

For more information about configuring Windows Vista GPO in the domain, see the

"Managing Group Policy ADMX Files Step by Step Guide"

(http://go.microsoft.com/fwlink/?LinkId=79653).

Note

We recommend that you keep the default options when you enable each Group

Policy setting. Be sure to read the Explain text before making any changes

To enable the local policy settings to back up BitLocker and TPM recovery information to Active Directory

1. Log on to the computer as an administrator.

2. Click Start, type the following in the Start Search box, and then click ENTER:

gpedit.msc

3. To enable Group Policy settings to back up BitLocker recovery information to

Active Directory:

a. Open Computer Configuration, open Administrative Templates, open

Windows Components, and then open BitLocker Drive Encryption.

b. In the right pane, double-click Turn on BitLocker backup to Active

Directory.

12


c. Select the Enabled option.

d. Verify that the Require BitLocker backup to AD DS check box is selected.

4. Enable Group Policy setting to back up TPM recovery information to Active

Directory.

a. Open Computer Configuration, open Administrative Templates, open

System, and then open Trusted Platform Module Services.

b. In the right pane, double-click Turn on TPM backup to Active Directory.

c. Select the Enabled option.

d. Verify that the Require TPM backup to AD DS check box is selected.

Testing Your Active Directory ConfigurationBy joining the Windows Vista-based client computers to the domain that you just

configured and enabling BitLocker, you can test whether BitLocker and TPM recovery

information is backed up to Active Directory successfully.

All user interfaces and programming interfaces within BitLocker and TPM Management

features will adhere to your configured Group Policy settings. When these settings are

enabled, recovery information (such as recovery passwords) will be automatically backed

up to Active Directory whenever this information is created and changed.

If you select the option to require backup, initializing the TPM or enabling BitLocker

through any method is blocked until the backup succeeds. In that case, no one will be

allowed to turn on BitLocker or initialize the TPM unless the domain controller is

configured correctly, the client computer has network connectivity to the domain

controller, and no other errors occur during the backup process.

Testing backup with Windows VistaYou should use a Windows Vista-based client computer to test backup.

BitLocker recovery information is backed up when you:

Create a recovery password during BitLocker setup, using the wizard available

through the Control Panel.

Create a recovery password after the disk has already been encrypted, using the

manage-bde.wsf command-line tool.

TPM recovery information is backed up when you:

Set the TPM owner password during TPM initialization.

Change the TPM owner password.

13

Sample test scenario with Windows VistaThis sample test scenario illustrates how to verify your Active Directory configuration

using Windows Vista. The included sample scripts you download assist in the test

process.

Important

You should perform additional tests as required to satisfy yourself that everything

is working correctly in your environment; do not assume that this scenario will

completely test all aspects of your configuration.

Test scenarios can also vary based on your organization's policies. For example, in

organizations where users are the Creator Owner of Computer objects they join to the

domain, it might be possible for these users to read the TPM owner information for their

own Computer objects.

To perform a sample test

1. Log on to a domain controller as a domain administrator.

2. Copy the sample script files to a suitable location.

3. Open a command prompt window and change the default location to the location

of the sample script files.

4. At the command prompt type the following:

cscript List-ACEs.vbs

Expected Output: Assuming the default Add-TPMSelfWriteACE.vbs was used

and other deprecated ACEs have been removed, there should be only one ACE

related to BitLocker and the TPM:

Accessing

> AceFlags: 10

> AceType: 5

> Flags: 3

> AccessMask: 32

> ObjectType: {AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}

> InheritedObjectType: {BF967A86-0DE6-11D0-A285-00AA003049E2}

> Trustee: NT AUTHORITY\SELF

1 ACE(s) found in DC=nttest,DC=microsoft,DC=com related to BitLocker and

TPM

14

5. Log on as a local administrator (non-domain administrator) on a Windows Vista

client joined to the domain.

6. Click Start, type the followingin the Start Search box, and then click ENTER:

tpm.msc

7. Click either the Initialize TPM or Change Owner Password link.

8. Set an owner password, and select the option to back up the information by

printing or saving to a file as needed.

Expected Output: The action will succeed without an error message.

9. Using this same account, open an elevated command prompt window, and then

change to the folder in which you have saved a copy of the sample scripts

provided with this document.

Note

To open an elevated command prompt window, right-click a command

prompt shortcut, and then click Run as Administrator.


cscript Get-TPMOwnerInfo.vbs

Expected Output: The error “Active Directory: The directory property cannot

be found in the cache. “ No information is displayed because a non-domain

administrator should not be able to read the ms-TPM-OwnerInformation attribute.

Note

If users are the Creator Owner of Computer objects they join to the

domain, it might be possible for these users to read the TPM owner

information for their own Computer objects.

11. Log on as a domain administrator on the same client computer.

12. Using this domain administrator account, open an elevated command prompt

window, and change to the directory in which you have saved a copy of the

sample scripts provided with this document.


cscript Get-TPMOwnerInfo.vbs

Expected Output: A string that is the hash of the password you created earlier.

As a domain administrator, you should have Read access to the ms-TPM-

OwnerInformation attribute.

14. At the elevated command prompt, type the following to create a recovery

password:

manage-bde -protectors -add -RecoveryPassword C:

15

Expected Output: The action will succeed without an error message.

15. At the command prompt type the following to read all BitLocker child objects of

the client computer’s Active Directory object:

cscript Get-BitLockerRecoveryInfo.vbs

Expected Output: A domain administrator should see one or more recovery

passwords, including the one created in step 14.

A non-domain administrator will not be able to read these passwords.

16. Delete any created BitLocker recovery child objects using Active Directory tools

such as the Active Directory Users and Computers administrative tool. By default,

clients running Windows Vista do not have permissions to delete stale BitLocker

recovery passwords.

Troubleshooting Common ProblemsThe following section discusses some common potential problems and their solutions.

Access permission problemsIf you are able to read backed up BitLocker and TPM recovery information using a non–

domain administrator account, check that you are running supported installations of

Windows Server on all the domain controllers in your network.

Important

Domain controllers running Windows 2000 Server or the initial release of

Windows Server 2003 are not supported for backing up BitLocker and TPM

recovery information.

Script errorsYou might receive an error when you run a script. The following sections explain the

causes of and solutions for the most frequent script errors.


When running Get-TPMOwnerInfo.vbs, if an error appears stating "Active Directory: The

directory property cannot be found in the cache," you do not have permission to read the

TPM owner information attribute object in Active Directory.

16

General

If an error appears stating "The specified domain either does not exist or could not be

contacted,” ensure that the computer is joined to the domain and that network

connectivity is available.

If an error appears stating "There is no such object on the server," check that any

computer specified by name on the command line is currently connected to the network.

Errors are accompanied by the line number in which the error occurred. Consult the script

source code to assist in troubleshooting the issue.

Questions and AnswersThis section includes related questions that the BitLocker team has fielded since the first

release of this document.

Is this schema part of Windows Server "Longhorn"?

Yes, the schema is part of Windows Server "Longhorn". Windows Windows Server

"Longhorn" Beta 2 contains the objects that will allow backup of all BitLocker and TPM

recovery information in pre-release versions of Windows Vista. The schema update for

the released version of Windows Vista matches the changes planned for Windows Server

"Longhorn" Beta 3.

Can I apply the schema update to a Windows Server 2003-based domain controller?

Microsoft supports BitLocker schema extensions only on Windows Server 2003 with SP1

and later and in Windows Server "Longhorn". The first release of Windows Server 2003

does not include the confidential flag feature that appropriately locks down access to

backed up recovery information.

Is this schema supported by Microsoft for production use?

Yes, this schema is supported through your normal support channels. For more

information about Microsoft support options, see http://go.microsoft.com/fwlink/?

LinkID=76619.

Is there an event log entry recorded on the client to indicate the success or failure of the Active Directory backup?

An event log entry that indicates the success or failure of an Active Directory backup is

recorded on the client.

17



However, this log entry is only useful to an extent. Even though an event log entry says

"Success," the information could have been subsequently removed from Active Directory,

or BitLocker could have been reconfigured in such a way that the Active Directory

information can no longer unlock the drive (such as by removing the recovery password

key protector). In addition, it is also possible that the log entry could be spoofed.

Ultimately, determining whether a legitimate backup exists in Active Directory requires

querying Active Directory with domain administrator credentials.

What if BitLocker is enabled on a computer before the computer has joined the domain?

You might wonder what happens if BitLocker is enabled on a computer before Group

Policy has been applied to enforce backup. Will the recovery information automatically be

backed up to Active Directory when the computer joins the domain or when Group Policy

is subsequently applied?

This functionality is not available in Windows Vista. Generally, joining a computer to the

domain is the first step for new computers within an enterprise.

The BitLocker Windows Management Instrumentation (WMI) interface allows

administrators to write a script to back up or synchronize an online client's existing

recovery passwords. An administrative account can list the recovery passwords of an

unlocked volume by using the GetKeyProtectorNumericalPassword method of the

BitLocker WMI interface or the "-protectors -get" parameters of the BitLocker command-

line tool (manage-bde.wsf).

What happens if the backup initially fails? Will BitLocker retry?

If the backup initially fails, such as when a domain controller is unreachable at the time

when the BitLocker setup wizard is run, BitLocker does not try repeatedly to back up the

recovery information to Active Directory.

When an administrator selects the Require BitLocker backup to AD DS check box or

the Require TPM backup to AD DS check box, if the backup fails, BitLocker cannot be

enabled.

When an administrator clears these check boxes, the administrator is allowing a volume

to be BitLocker-encrypted without having the recovery information successfully backed

up to Active Directory, however, BitLocker will not automatically retry. Instead,

administrators can script a backup, as described in the previous question, to capture the

information after connectivity is restored.

18

Does BitLocker encrypt recovery information as it is sent to Active Directory?

Yes, the transmission of recovery information from a Windows Vista client to Active

Directory is protected by using Kerberos. Specifically, the connection uses the

authentication flags ADS_SECURE_AUTHENTICATION, ADS_USE_SEALING, and

ADS_USE_SIGNING.

For more information about Active Directory authentication flags, see

http://go.microsoft.com/fwlink/?LinkId=79643.

Note

Once recovery information is transmitted, Active Directory does not store the

BitLocker and TPM recovery information in an encrypted format. However,

access control permissions are set so that only domain administrators or

appropriate delegates can read the stored information when the server is online.

Enterprises concerned about offline attacks on branch office servers should

consider enabling BitLocker on those servers, once they are upgraded to

Windows Server "Longhorn".

Appendix A: Checking BitLocker and TPM Schema Objects

To enable the backup of BitLocker and TPM recovery information in Active Directory, a

total of six schema objects are created in the Active Directory schema.

You can use the following procedure to verify whether these objects exist in your Active

Directory installation.

To examine and verify BitLocker and TPM schema objects

1. Log on to the domain controller with an account in the Domain Admins group.

2. Open the ADSI Edit snap-in. Click Start, click Run, type adsiedit.msc, and then

click OK.

Note

This snap-in is in Windows Support Tools. To download the Windows

Support Tools for Windows Server 2003 with Service Pack 1, see

http://go.microsoft.com/fwlink/?LinkID=70775.

3. Open the Schema container, and then open the folder containing available

schema objects (see the following figure).

19



4. Find by name the following schema objects:

CN= ms-FVE-KeyPackage – attributeSchema object

CN=ms-FVE-RecoveryGuid – attributeSchema object

CN=ms-FVE-RecoveryInformation – classSchema object

CN=ms-FVE-RecoveryPassword – attributeSchema object

CN=ms-FVE-VolumeGuid – attributeSchema object

CN=ms-TPM-OwnerInformation – attributeSchema object

The following screen image represents a typical search for schema objects:

Appendix B: Sample Ldifde output

The following sample represents typical output from running the BitLocker and TPM

Schema extension command of the Ldifde tool and BitLockerTPMSchemaExtension.ldf.

Note

Your on-screen display might differ due to line wrapping required to display or

print this output.

20

Sample OutputD:\ad>ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X"

"DC=black,DC=nttest,dc=corp,dc=microsoft,dc=com" -k -j .

Connecting to "x-hp-test-serve.black.nttest.corp.microsoft.com"

Logging in as current user using SSPI

Importing directory from file "RC1BitLockerTPMSchemaExtension.ldf"

Loading entries

1: CN=ms-TPM-

OwnerInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof

t,dc=com

Entry modified successfully.

2: CN=ms-FVE-

RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc

=com


3: CN=ms-FVE-

RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof

t,dc=com


4: (null)


5: CN=ms-FVE-

RecoveryInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=micro

soft,dc=com


6:

CN=computer,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc=

com


21

7: (null)


8: CN=ms-FVE-

VolumeGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc=c

om


9: CN=ms-FVE-

KeyPackage,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc=c

om


10: (null)


11: CN=ms-FVE-

RecoveryInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=micro

soft,dc=com


12: CN=ms-FVE-


=com


13: CN=ms-FVE-


=com


14: CN=ms-FVE-


=com


22

15: CN=ms-FVE-


=com


16: CN=ms-FVE-


t,dc=com


17: CN=ms-FVE-


t,dc=com


18: CN=ms-FVE-


t,dc=com


19: CN=ms-TPM-


t,dc=com


20: CN=ms-TPM-


t,dc=com


20 entries modified successfully.

The command has completed successfully

23

Appendix C: Default Permissions for a Computer Object

The default permissions for an Active Directory Computer object in Windows Server 2003

are:

Account operators

Full control

Domain administrators

Full control

System

Full control

Authenticated users

Read, Read Account Restrictions, Read DNS Host Name Attributes, Read Personal

Information, Read Public Information

Special: List contents, Read All Properties, Read Permissions

Creator owner

Read, Allowed to authenticate, Change Password, Receive As, Reset Password,

Send As, Validated write to DNS host name, Validated write to service principal

name, Read Account Restrictions, Write Account Restrictions, Read DNS Host Name

Attributes, Read Personal Information, Read Public Information

Special: List contents, Read All properties, Delete, Delete Subtree, Read

Permissions, All Extended rights, Allowed to authenticate, change password, receive

as, reset password, Send As

Write Account Restrictions

Validated Write to DNS host name

Validated Write to service principal name

Write computer name (pre-Windows 2000)

Write description

Everyone

Change password

Print operator

Create/Delete printer objects

24

Self

Create All Child Objects

Delete All Child Objects

Various other applicationVersion and property objects

Validated write to service principal name

Read/write personal information

Validated write to DNS host name

Windows Authorization Access Group

Read property (tokenGroupsGlobalAndUniversal)

Cert Publishers

Read userCertificate

Write userCertificate

Appendix D: BitLockerTPMSchemaExtension.ldf File Contents

The following is the contents of the BitLockerTPMSchemaExtension.ldf file, which can be

used to extend the Active Directory schema from Windows Server 2003 with SP1 to

support backing up recovery information for BitLocker and the TPM owner password in

Active Directory.

To use this file to extend the schema, you should be familiar with the Ldifde command,

which must be run on the domain controller holding the schema operations master role

for the forest.

Note

To download this file, see http://go.microsoft.com/fwlink/?LinkId=78953.

File contentsNote

Some lines might appear split into multiple lines for display or printing.

#=====================================================================## Active Directory Domain Services schema extension for

25


# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery## This file contains attributes and class objects that enable# Windows Server 2003 SP1 and Windows Server 2003 R2 domain controllers# to store BitLocker and TPM recovery information. ## Change History: # 11/2005 - Schema additions for Vista Beta 2 (matches "Longhorn" Server Beta 2)# 5/2006 - Schema additions and updates for Vista RC1 (matches "Longhorn" Server Beta 3)## NOTE: A schema extension is not necessary if the forest includes an installation# of Windows Server Codename "Longhorn".## To extend the schema, use the LDIFDE tool on the schema master of the forest.## Sample command:# ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .## For more information on LDIFDE tool, see# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677 ## See related guide for setting up Active Directory Domain Services# for BitLocker and TPM recovery.##=====================================================================

#=====================================================================# [Vista Beta 2 and up] TPM Recovery Information - Attributes#=====================================================================

## ms-TPM-OwnerInformation#dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=Xchangetype: addobjectClass: attributeSchemaldapDisplayName: msTPM-OwnerInformationadminDisplayName: TPM-OwnerInformationadminDescription: This attribute contains the owner information of a particular TPM.attributeId: 1.2.840.113556.1.4.1966attributeSyntax: 2.5.5.12omSyntax: 64isSingleValued: TRUEsearchFlags: 136schemaIdGuid:: bRpOqg1VBU6MNUr8uRep/g==showInAdvancedViewOnly: TRUE

26

#======================================================================# [Vista Beta 2 and up] Bitlocker Recovery Information - Attributes# NOTE: FVE is the acronym for Full Volume Encryption, a pre-release name#=====================================================================

## ms-FVE-RecoveryGuid#dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=Xchangetype: addobjectClass: attributeSchemaldapDisplayName: msFVE-RecoveryGuidadminDisplayName: FVE-RecoveryGuidadminDescription: This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.attributeID: 1.2.840.113556.1.4.1965attributeSyntax: 2.5.5.10omSyntax: 4isSingleValued: TRUEsearchFlags: 137schemaIdGuid:: vAlp93jmoEews/hqAETAbQ==showInAdvancedViewOnly: TRUE

## ms-FVE-RecoveryPassword#dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=Xchangetype: addobjectClass: attributeSchemaldapDisplayName: msFVE-RecoveryPasswordadminDisplayName: FVE-RecoveryPasswordadminDescription: This attribute contains the password required to recover a Full Volume Encryption (FVE) volume.attributeId: 1.2.840.113556.1.4.1964attributeSyntax: 2.5.5.12omSyntax: 64isSingleValued: TRUEsearchFlags: 136schemaIdGuid:: wRoGQ63IzEy3hSv6wg/GCg==showInAdvancedViewOnly: TRUE

#=====================================================================# [Vista Beta 2 and up] Attributes - Schema Update#======================================================================

dn:changetype: modifyadd: schemaUpdateNow

27

schemaUpdateNow: 1-

#=====================================================================# [Vista Beta 2 and up] BitLocker Recovery Information - Class#=====================================================================

## ms-FVE-RecoveryInformation#dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=Xchangetype: addobjectClass: classSchemaldapDisplayName: msFVE-RecoveryInformationadminDisplayName: FVE-RecoveryInformationadminDescription: This class contains a Full Volume Encryption recovery password with its associated GUID.governsID: 1.2.840.113556.1.5.253objectClassCategory: 1subClassOf: topsystemMustContain: msFVE-RecoveryGuidsystemMustContain: msFVE-RecoveryPasswordsystemPossSuperiors: computerschemaIdGUID:: MF1x6lOP0EC9HmEJGG14LA==defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)defaultHidingValue: TRUEdefaultObjectCategory: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X

#=====================================================================# [Vista Beta 2 and up] Classes - Schema Update#=====================================================================

dn: CN=computer,CN=Schema,CN=Configuration,DC=X#changetype: ntdsSchemaModifychangetype: modifyadd: mayContainmayContain: msTPM-OwnerInformation-

dn:changetype: modifyadd: schemaUpdateNowschemaUpdateNow: 1-

#=====================================================================# [Vista RC1 and up] Bitlocker Recovery Information - Additional Attributes #=====================================================================

28

## ms-FVE-VolumeGuid#dn: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=Xchangetype: addobjectClass: attributeSchemaldapDisplayName: msFVE-VolumeGuidadminDisplayName: FVE-VolumeGuidadminDescription: This attribute contains the GUID associated with a BitLocker-supported disk volume. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.attributeID: 1.2.840.113556.1.4.1998attributeSyntax: 2.5.5.10omSyntax: 4isSingleValued: TRUEsearchFlags: 27schemaIdGuid:: z6Xlhe7cdUCc/aydtqLyRQ==showInAdvancedViewOnly: TRUEisMemberOfPartialAttributeSet: TRUErangeUpper: 128

## ms-FVE-KeyPackage#dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=Xchangetype: addobjectClass: attributeSchemaldapDisplayName: msFVE-KeyPackageadminDisplayName: FVE-KeyPackageadminDescription: This attribute contains a volume's BitLocker encryption key secured by the corresponding recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.attributeId: 1.2.840.113556.1.4.1999attributeSyntax: 2.5.5.10omSyntax: 4isSingleValued: TRUEsearchFlags: 152schemaIdGuid:: qF7VH6eI3EeBKQ2qlxhqVA==showInAdvancedViewOnly: TRUEisMemberOfPartialAttributeSet: FALSErangeUpper: 102400

#=====================================================================# [Vista RC1 and up] Additional Attributes - Schema Update#=====================================================================

dn:changetype: modifyadd: schemaUpdateNowschemaUpdateNow: 1

29

-

#=====================================================================# [Vista RC1 and up] Updates to BitLocker Recovery Information Class#======================================================================

dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: adminDescriptionadminDescription: This class contains BitLocker recovery information including GUIDs, recovery passwords, and keys. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.-

dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=Xchangetype: modifyadd: mayContainmayContain: msFVE-VolumeGuidmayContain: msFVE-KeyPackage-

#=====================================================================# [Vista RC1 and up] Updates to pre-RC1 Attributes #=====================================================================

## Updates to ms-TPM-OwnerInformation#

dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: searchFlagssearchFlags: 152-

dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: rangeUpperrangeUpper: 128-

## Updates to ms-FVE-RecoveryGuid#

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: adminDescriptionadminDescription: This attribute contains the GUID associated with a BitLocker recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.

30

-

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: searchFlagssearchFlags: 27-

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: rangeUpperrangeUpper: 128-

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: isMemberOfPartialAttributeSetisMemberOfPartialAttributeSet: TRUE-

## Updates to ms-FVE-RecoveryPassword#

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: adminDescriptionadminDescription: This attribute contains a password that can recover a BitLocker-encrypted volume. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.-

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: searchFlagssearchFlags: 152-

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=Xchangetype: modifyreplace: rangeUpperrangeUpper: 256-

## Reload the schema cache to pick up updated attributes#

dn:changetype: modify

31

add: schemaUpdateNowschemaUpdateNow: 1-

Appendix E: Add-TPMSelfWriteACE.vbs File Contents

The following is the contents of the Add-TPMSelfWriteACE.vbs file, which can be used to

add the required access control entry to allow nextref_vista clients to back up the TPM

owner password recovery information in Active Directory.

Note

To download this file, see http://go.microsoft.com/fwlink/?LinkId=78953.

File contents'==============================================================================='' This script demonstrates the addition of an Access Control Entry (ACE)' to allow computers to write Trusted Platform Module (TPM) ' recovery information to Active Directory.'' This script creates a SELF ACE on the top-level domain object, and' assumes that inheritance of ACL's from the top-level domain object to ' down-level computer objects are enabled.'' Reference: "Using Scripts to Manage Active Directory Security"' http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx' and MSDN documentation.'' Last Updated: August 2006' Microsoft Corporation'' Disclaimer' ' The sample scripts are not supported under any Microsoft standard support program' or service. The sample scripts are provided AS IS without warranty of any kind. ' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or

32


' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages.' '===============================================================================

' --------------------------------------------------------------------------------' Access Control Entry (ACE) constants ' --------------------------------------------------------------------------------

'- From the ADS_ACETYPE_ENUM enumerationConst ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 'Allows an object to do something

'- From the ADS_ACEFLAG_ENUM enumerationConst ADS_ACEFLAG_INHERIT_ACE = &H2 'ACE can be inherited to child objectsConst ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8 'ACE does NOT apply to target (parent) object

'- From the ADS_RIGHTS_ENUM enumerationConst ADS_RIGHT_DS_WRITE_PROP = &H20 'The right to write object propertiesConst ADS_RIGHT_DS_CREATE_CHILD = &H1 'The right to create child objects

'- From the ADS_FLAGTYPE_ENUM enumerationConst ADS_FLAG_OBJECT_TYPE_PRESENT = &H1 'Target object type is present in the ACE Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2 'Target inherited object type is present in the ACE

' --------------------------------------------------------------------------------' TPM and FVE schema object GUID's ' --------------------------------------------------------------------------------

'- ms-TPM-OwnerInformation attributeSCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"

'- ms-FVE-RecoveryInformation objectSCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"

'- Computer objectSCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"

'Reference: "Platform SDK: Active Directory Schema"

33

' --------------------------------------------------------------------------------' Set up the ACE to allow write of TPM owner information' --------------------------------------------------------------------------------

Set objAce1 = createObject("AccessControlEntry")

objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACEobjAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECTobjAce1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT + ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

objAce1.Trustee = "SELF"objAce1.AccessMask = ADS_RIGHT_DS_WRITE_PROP objAce1.ObjectType = SCHEMA_GUID_MS_TPM_OWNERINFORMATIONobjAce1.InheritedObjectType = SCHEMA_GUID_COMPUTER

' --------------------------------------------------------------------------------' NOTE: BY default, the "SELF" computer account can create ' BitLocker recovery information objects and write BitLocker recovery properties'' No additional ACE's are needed.' --------------------------------------------------------------------------------

' --------------------------------------------------------------------------------' Connect to Discretional ACL (DACL) for domain object' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

Set objDomain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")

Set objDescriptor = objDomain.Get("ntSecurityDescriptor")Set objDacl = objDescriptor.DiscretionaryAcl

' --------------------------------------------------------------------------------' Add the ACEs to the Discretionary ACL (DACL) and set the DACL' --------------------------------------------------------------------------------

objDacl.AddAce objAce1

34

objDescriptor.DiscretionaryAcl = objDaclobjDomain.Put "ntSecurityDescriptor", Array(objDescriptor)objDomain.SetInfo

WScript.Echo "SUCCESS!"

Appendix F: Sample Test Scripts

The following are the contents of three sample test scripts that can be used to help verify

your Active Directory configuration to support backing up recovery information for

BitLocker and the TPM owner password to Active Directory.

List-ACEs.vbs


Get-BitLockerRecoveryInfo.vbs

You can get usage information for each script by running the script with the -? parameter.

Note

To download these files, see http://go.microsoft.com/fwlink/?LinkId=78953.

List-ACEs.vbsThis script lists or removes the access control entries (ACEs) configured on BitLocker

and TPM schema objects for the top-level domain. You can use this script to ensure that

the expected ACEs have been added appropriately or to remove any ACEs related to

BitLocker or the TPM.

Note

On a completed configuration without any delegation of permissions, there

should be only one ACE related to the TPM.

File contents'==============================================================================='' This script lists the access control entries (ACE's) configured on ' Trusted Platform Module (TPM) and BitLocker Drive Encryption (BDE) schema objects ' for the top-level domain.'' Use this script to check that the correct permissions have been set.

35


' Also use this script to remove TPM and BitLocker ACE's from the top-level domain.'' Reference: "Using Scripts to Manage Active Directory Security"' http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx' and MSDN documentation.' ' Last Updated: 1/30/2006' Microsoft Corporation'' Disclaimer' ' The sample scripts are not supported under any Microsoft standard support program' or service. The sample scripts are provided AS IS without warranty of any kind. ' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages.' '===============================================================================

' --------------------------------------------------------------------------------' Usage' --------------------------------------------------------------------------------

Sub ShowUsage Wscript.Echo "USAGE: List-ACEs" Wscript.Echo "List access permissions for BitLocker and TPM schema objects" Wscript.Echo "" Wscript.Echo "USAGE: List-ACEs -remove" Wscript.Echo "Removes access permissions for BitLocker and TPM schema objects" WScript.QuitEnd Sub

' --------------------------------------------------------------------------------' Parse Arguments' --------------------------------------------------------------------------------

Set args = WScript.Arguments

36

Select Case args.Count Case 0 ' do nothing - checks for ACE's removeACE = False Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else If UCase(args(0)) = "-REMOVE" Then removeACE = True End If End If

Case Else ShowUsage

End Select

' --------------------------------------------------------------------------------' Configuration of the filter to show/remove only ACE's for BDE and TPM objects' --------------------------------------------------------------------------------

'- ms-TPM-OwnerInformation attributeSCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"

'- ms-FVE-RecoveryInformation objectSCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"

' Use this filter to list/remove only ACEs related to TPM and BitLocker

aceGuidFilter = Array(SCHEMA_GUID_MS_TPM_OWNERINFORMATION, _ SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION)

' Note to script source reader:' Uncomment the following line to turn off the filter and list all ACEs'aceGuidFilter = Array()

' --------------------------------------------------------------------------------' Helper functions related to the list filter for listing or removing ACE's' --------------------------------------------------------------------------------

Function IsFilterActive()

If Join(aceGuidFilter) = "" Then IsFilterActive = False Else IsFilterActive = True

37

End If

End Function

Function isAceWithinFilter(ace)

aceWithinFilter = False ' assume first not pass the filte

For Each guid In aceGuidFilter

If ace.ObjectType = guid Or ace.InheritedObjectType = guid Then isAceWithinFilter = True End If Next

End Function

Sub displayFilter For Each guid In aceGuidFilter WScript.echo guid NextEnd Sub

' --------------------------------------------------------------------------------' Connect to Discretional ACL (DACL) for domain object' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. dc=fabrikam,dc=com

Set domain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + domain.Get("distinguishedName")WScript.Echo ""

Set descriptor = domain.Get("ntSecurityDescriptor")Set dacl = descriptor.DiscretionaryAcl

' --------------------------------------------------------------------------------' Show Access Control Entries (ACE's)' --------------------------------------------------------------------------------

' Loop through the existing ACEs, including all ACEs if the filter is not active

i = 1 ' global indexc = 0 ' found count - relevant if filter is active

38

For Each ace In dacl

If IsFilterActive() = False or isAceWithinFilter(ace) = True Then

' note to script source reader: ' echo i to show the index of the ACE WScript.echo "> AceFlags: " & ace.AceFlags WScript.echo "> AceType: " & ace.AceType WScript.echo "> Flags: " & ace.Flags WScript.echo "> AccessMask: " & ace.AccessMask WScript.echo "> ObjectType: " & ace.ObjectType WScript.echo "> InheritedObjectType: " & ace.InheritedObjectType WScript.echo "> Trustee: " & ace.Trustee WScript.echo ""

if IsFilterActive() = True Then c = c + 1

' optionally include this ACE in removal list if configured ' note that the filter being active is a requirement since we don't ' want to accidentially remove all ACEs

If removeACE = True Then dacl.RemoveAce ace End If

end if

End If

i = i + 1

Next

' Display number of ACEs found

If IsFilterActive() = True Then

WScript.echo c & " ACE(s) found in " & domain.Get("distinguishedName") _ & " related to BitLocker and TPM" 'note to script source reader: change this line if you configure your own filter

' note to script source reader: ' uncomment the following lines if you configure your own filter 'WScript.echo "" 'WScript.echo "The following filter was active: " 'displayFilter 'Wscript.echo ""

39

Else

i = i - 1 WScript.echo i & " total ACE(s) found in " & domain.Get("distinguishedName") End If

' --------------------------------------------------------------------------------' Optionally remove ACE's on a filtered list' --------------------------------------------------------------------------------

if removeACE = True and IsFilterActive() = True then

descriptor.DiscretionaryAcl = dacl domain.Put "ntSecurityDescriptor", Array(descriptor) domain.setInfo

WScript.echo c & " ACE(s) removed from " & domain.Get("distinguishedName")

else

if removeACE = True then

WScript.echo "You must specify a filter to remove ACEs from " & domain.Get("distinguishedName") end if

end if

Get-TPMOwnerInfo.vbsThis script demonstrates the retrieval of TPM recovery information from Active Directory

for a particular computer. You can use this script to test that only domain administrators

(or delegated roles) can read backed up TPM recovery information, and that the

information is being backed up correctly.

File contents'================================================================================='' This script demonstrates the retrieval of Trusted Platform Module (TPM) ' recovery information from Active Directory for a particular computer.'' It returns the TPM owner information stored as an attribute of a

40

' computer object.'' Change History:' 1/30/2006 - Initial release' 5/15/2006 - Updated GetStrPathToComputer to search the global catalog.'' Microsoft Corporation'' Disclaimer' ' The sample scripts are not supported under any Microsoft standard support program' or service. The sample scripts are provided AS IS without warranty of any kind. ' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages.' '=================================================================================

' --------------------------------------------------------------------------------' Usage' --------------------------------------------------------------------------------

Sub ShowUsage Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]" Wscript.Echo "If no computer name is specified, the local computer is assumed." WScript.QuitEnd Sub

' --------------------------------------------------------------------------------' Parse Arguments' --------------------------------------------------------------------------------


Select Case args.Count Case 0 ' Get the name of the local computer Set objNetwork = CreateObject("WScript.Network")

41

strComputerName = objNetwork.ComputerName Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else strComputerName = args(0) End If Case Else ShowUsage

End Select

' --------------------------------------------------------------------------------' Get path to Active Directory computer object associated with the computer name' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName)

' Uses the global catalog to find the computer in the forest ' Search also includes deleted computers in the tombstone

Set objRootLDAP = GetObject("LDAP://rootDSE") namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

strBase = "<GC://" & namingContext & ">" Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection

strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))" strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"

objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 100 objCommand.Properties("Cache Results") = False

' Enumerate all objects found.

Set objRecordSet = objCommand.Execute If objRecordSet.EOF Then WScript.echo "The computer name '" & strComputerName & "' cannot be found." WScript.Quit 1 End If

42

' Found object matching name

Do Until objRecordSet.EOF dnFound = objRecordSet.Fields("distinguishedName") GetStrPathToComputer = "LDAP://" & dnFound objRecordSet.MoveNext Loop

' Clean up. Set objConnection = Nothing Set objCommand = Nothing Set objRecordSet = Nothing

End Function

' --------------------------------------------------------------------------------' Securely access the Active Directory computer object using Kerberos' --------------------------------------------------------------------------------

Set objDSO = GetObject("LDAP:")strPath = GetStrPathToComputer(strComputerName)

WScript.Echo "Accessing object: " + strPath

Const ADS_SECURE_AUTHENTICATION = 1Const ADS_USE_SEALING = 64 '0x40Const ADS_USE_SIGNING = 128 '0x80

Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

' --------------------------------------------------------------------------------' Get the TPM owner information from the Active Directory computer object' --------------------------------------------------------------------------------

strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation

Get-BitLockerRecoveryInfo.vbsThis script demonstrates the retrieval of all BitLocker recovery information from Active

Directory for a particular computer. You can use this script to ensure that only domain

43

administrators (or delegated roles) can read the BitLocker recovery information backed

up in Active Directory and that it has been backed up correctly.

File contents'==============================================================================='' This script demonstrates the retrieval of BitLocker Drive Encryption (BDE) ' recovery information from Active Directory for a particular computer.'' It returns all recovery passwords and associated GUIDs for a particular ' computer object.'' Change History:' 1/30/2006 - Initial release' 5/15/2006 - Added ConvertOctetGuidToHexString to remove dependency to ADs.DLL ' and converted GUID to correct byte order before printing.' - Updated GetStrPathToComputer to search the global catalog.'' Microsoft Corporation'' Disclaimer' ' The sample scripts are not supported under any Microsoft standard support program' or service. The sample scripts are provided AS IS without warranty of any kind. ' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages.''===============================================================================

' --------------------------------------------------------------------------------' Usage' --------------------------------------------------------------------------------

Sub ShowUsage Wscript.Echo "USAGE: Get-BitLockerRecoveryInfo [Optional Computer Name]" Wscript.Echo "If no computer name is specified, the local computer is assumed."

44

WScript.QuitEnd Sub

' --------------------------------------------------------------------------------' Parse Arguments' --------------------------------------------------------------------------------


Select Case args.Count Case 0 ' Get the name of the local computer Set objNetwork = CreateObject("WScript.Network") strComputerName = objNetwork.ComputerName Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else strComputerName = args(0) End If Case Else ShowUsage

End Select

' --------------------------------------------------------------------------------' Helper function: Convert the octet GUID string (byte array) to a hex string' --------------------------------------------------------------------------------

'Reference: http://blogs.msdn.com/ericlippert/archive/2004/05/25/141525.aspx

Function HexByte(b) HexByte = Right("0" & Hex(b), 2)End Function

Function ConvertOctetGuidToHexString(ByteArray) Dim Binary, S Binary = CStr(ByteArray)

On Error Resume Next

S = "{" S = S & HexByte(AscB(MidB(Binary, 4, 1))) S = S & HexByte(AscB(MidB(Binary, 3, 1))) S = S & HexByte(AscB(MidB(Binary, 2, 1))) S = S & HexByte(AscB(MidB(Binary, 1, 1))) S = S & "-" S = S & HexByte(AscB(MidB(Binary, 6, 1)))

45

S = S & HexByte(AscB(MidB(Binary, 5, 1))) S = S & "-" S = S & HexByte(AscB(MidB(Binary, 8, 1))) S = S & HexByte(AscB(MidB(Binary, 7, 1))) S = S & "-" S = S & HexByte(AscB(MidB(Binary, 9, 1))) S = S & HexByte(AscB(MidB(Binary, 10, 1))) S = S & "-" S = S & HexByte(AscB(MidB(Binary, 11, 1))) S = S & HexByte(AscB(MidB(Binary, 12, 1))) S = S & HexByte(AscB(MidB(Binary, 13, 1))) S = S & HexByte(AscB(MidB(Binary, 14, 1))) S = S & HexByte(AscB(MidB(Binary, 15, 1))) S = S & HexByte(AscB(MidB(Binary, 16, 1))) S = S & "}"

On Error GoTo 0

ConvertOctetGuidToHexString = SEnd Function

' --------------------------------------------------------------------------------' Get path to Active Directory computer object associated with the computer name' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName)

' Uses the global catalog to find the computer in the forest ' Search also includes deleted computers in the tombstone

Set objRootLDAP = GetObject("LDAP://rootDSE") namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

strBase = "<GC://" & namingContext & ">" Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection

strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))" strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"

objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 100 objCommand.Properties("Cache Results") = False

46

' Enumerate all objects found.

Set objRecordSet = objCommand.Execute If objRecordSet.EOF Then WScript.echo "The computer name '" & strComputerName & "' cannot be found." WScript.Quit 1 End If

' Found object matching name

Do Until objRecordSet.EOF dnFound = objRecordSet.Fields("distinguishedName") GetStrPathToComputer = "LDAP://" & dnFound objRecordSet.MoveNext Loop

' Clean up. Set objConnection = Nothing Set objCommand = Nothing Set objRecordSet = Nothing

End Function

' --------------------------------------------------------------------------------' Securely access the Active Directory computer object using Kerberos' --------------------------------------------------------------------------------

Set objDSO = GetObject("LDAP:")strPathToComputer = GetStrPathToComputer(strComputerName)

WScript.Echo "Accessing object: " + strPathToComputer

Const ADS_SECURE_AUTHENTICATION = 1Const ADS_USE_SEALING = 64 '0x40Const ADS_USE_SIGNING = 128 '0x80

' --------------------------------------------------------------------------------' Get all BitLocker recovery information from the Active Directory computer object' --------------------------------------------------------------------------------

' Get all the recovery information child objects of the computer object

Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

47

objFveInfos.Filter = Array("msFVE-RecoveryInformation")

' Iterate through each recovery information object

For Each objFveInfo in objFveInfos

strName = objFveInfo.Get("name")

strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid") strRecoveryGuid = ConvertOctetGuidToHexString(strRecoveryGuidOctet)

strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")

WScript.echo WScript.echo "name: " + strName WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid WScript.echo "msFVE-RecoveryPassword: " + strRecoveryPassword

If len(strRecoveryGuid) <> 38 Then WScript.echo "WARNING: '" & strRecoveryGuid & "' does not appear to be a valid GUID." End If

Next

WScript.Quit

48

Documents

Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information