Configuring Active Directory to Back up

Windows BitLocker Drive Encryption

and Trusted Platform Module Recovery
Information
Microsoft Corporation
Published: December 2006

Abstract
Windows® BitLocker™ Drive Encryption (BitLocker) is a new feature in the
Windows Vista™ and Microsoft® Windows Server® Code Name "Longhorn" operating
systems that provides better offline data protection for your computer. This feature is
enhanced by the use of a Trusted Platform Module (TPM).
This guide includes requirements and procedures for configuring Active Directory® in
Microsoft Windows Server® 2003 to support the recovery of information protected by
BitLocker, with or without the use of a TPM.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2006 Microsoft Corporation. All rights reserved.
Active Directory, BitLocker, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows,
Windows NT, Windows Server, and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Contents
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted
Platform Module Recovery Information...........................................................................1
Abstract.......................................................................................................................1

Contents.............................................................................................................................3

Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted
Platform Module Recovery Information ..............................................................5
Overview.........................................................................................................................5
Required files..............................................................................................................6
Background.....................................................................................................................6
Storage of BitLocker recovery information in Active Directory.....................................7
Storage of TPM recovery information in Active Directory............................................8
Configuring Active Directory............................................................................................8
Check general prerequisites........................................................................................8
Extend the schema......................................................................................................9
Set the required permissions for backing up TPM password information..................11
Configure Group Policy to enable backup of BitLocker and TPM recovery information
in Active Directory..................................................................................................12
Testing Your Active Directory Configuration..................................................................13
Testing backup with Windows Vista...........................................................................13
Sample test scenario with Windows Vista.................................................................13
Troubleshooting Common Problems.............................................................................16
Access permission problems.....................................................................................16
Script errors...............................................................................................................16
Get-TPMOwnerInfo.vbs.........................................................................................16
General..................................................................................................................16
Questions and Answers................................................................................................17
Is this schema part of Windows Server "Longhorn"?.............................................17
Can I apply the schema update to a Windows Server 2003-based domain
controller?...........................................................................................................17
Is this schema supported by Microsoft for production use?...................................17
Is there an event log entry recorded on the client to indicate the success or failure
of the Active Directory backup?..........................................................................17
What if BitLocker is enabled on a computer before the computer has joined the
domain?..............................................................................................................18
What happens if the backup initially fails? Will BitLocker retry?.............................18
 Does BitLocker encrypt recovery information as it is sent to Active Directory?......18

Appendix A: Checking BitLocker and TPM Schema Objects ...............................19

Appendix B: Sample Ldifde output ......................................................................20

Sample Output..............................................................................................................20

Appendix C: Default Permissions for a Computer Object ....................................23

Appendix D: BitLockerTPMSchemaExtension.ldf File Contents ..........................25

File contents.................................................................................................................25

Appendix E: Add-TPMSelfWriteACE.vbs File Contents .......................................31

File contents.................................................................................................................32

Appendix F: Sample Test Scripts .........................................................................34

List-ACEs.vbs...............................................................................................................35
File contents..............................................................................................................35
Get-TPMOwnerInfo.vbs................................................................................................40
File contents..............................................................................................................40
Get-BitLockerRecoveryInfo.vbs....................................................................................43
File contents..............................................................................................................43
 5

Configuring Active Directory to Back up

Windows BitLocker Drive Encryption
and Trusted Platform Module Recovery
Information

Overview
This document describes how to configure Active Directory® to back up recovery
information for Windows® BitLocker™ Drive Encryption (BitLocker) and the Trusted
Platform Module (TPM). Recovery information includes the recovery password for each
BitLocker-enabled volume, the TPM owner password, and the information required to
identify which computers and volumes the recovery information applies to. Optionally, you
can also save a package containing the actual keys used to encrypt the data as well as
the recovery password required to access those keys.

Note
Active Directory is known as Active Directory Domain Services in Microsoft®
Windows Server® Code Name "Longhorn".
Backing up recovery passwords for a BitLocker-protected disk volume allows
administrators to recover the volume if it is locked. This ensures that encrypted data
belonging to the enterprise can always be accessed by authorized users.
Backing up the TPM owner information for a computer allows administrators to locally
and remotely configure the TPM security hardware on that computer. As an example, an
administrator might want to reset the TPM to factory defaults when decommissioning or
repurposing computers.

Important
You can save recovery information in Active Directory if your domain controllers
are running Microsoft® Windows Server® 2003 with Service Pack 1 (SP1),
Windows Server 2003 R2, or Windows Server "Longhorn". You cannot save
recovery information in Active Directory if the domain controller is running a
version of Windows Server earlier than Windows Server 2003 with SP1.
If you are testing a pre-release version of Windows Server "Longhorn", follow the same
process described for Windows Server 2003 with SP1 or later, with one exception: if you
have installed the Beta 3 release of Windows Server "Longhorn" or newer, you do not
need to update the schema as described later in this document.
 6

Important
Perform these steps in a test or pre-production environment prior to rolling out to
production environments.

Required files
The following sample scripts and LDF file available from Microsoft are required to
configure Active Directory for backing up recovery information:
• Add-TPMSelfWriteACE.vbs
• BitLockerTPMSchemaExtension.ldf
• List-ACEs.vbs
• Get-TPMOwnerInfo.vbs
• Get-BitLockerRecoveryInfo.vbs
To download the files, see http://go.microsoft.com/fwlink/?LinkId=78953. The contents of
these files and other useful information are included in the following appendices:
• Appendix A: Checking BitLocker and TPM Schema Objects
• Appendix B: Sample Ldifde output
• Appendix C: Default Permissions for a Computer Object
• Appendix D: BitLockerTPMSchemaExtension.ldf File Contents
• Appendix E: Add-TPMSelfWriteACE.vbs File Contents
• Appendix F: Sample Test Scripts

Note
If you tested a pre-release or beta version of Windows Vista, and configured your
Active Directory installation with earlier versions of the scripts or schema
extensions, you must use ensure that you use the final, released versions of
these files. In addition, if you ran an earlier version of List-ACEs.vbs, you must
remove the previously-added BitLocker-related access control entries (ACEs)
before proceeding.

Background
This section provides information about how BitLocker and TPM recovery information can
be backed up in Active Directory.
By default, no recovery information is backed up. Administrators can configure Group
Policy settings to enable backup of BitLocker or TPM recovery information. Before
configuring these settings, as a domain administrator you must ensure that the Active
 7
Directory schema has been extended with the necessary storage locations and that
access permissions have been granted to perform the backup.
You should also configure Active Directory before configuring BitLocker on client
computers. If BitLocker is enabled first, recovery information for those computers will not
be added to Active Directory. For more information, see the section Questions and
Answers later in this document.

Storage of BitLocker recovery information in Active

Directory
Backed up BitLocker recovery information is stored in a child object of the Computer
object. That is, the Computer object is the container for a BitLocker recovery object.
Each BitLocker recovery object includes the recovery password and other recovery
information. More than one BitLocker recovery object can exist under each Computer
object, because there can be more than one recovery password associated with a
BitLocker-enabled volume.
The name of the BitLocker recovery object incorporates a globally unique identifier
(GUID) and date and time information, for a fixed length of 63 characters. The form is:
<Object Creation Date and Time><Recovery GUID>
For example:
2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}
The common name (cn) for the BitLocker recovery object is ms-FVE-
RecoveryInformation. Each ms-FVE-RecoveryInformation object has the following
attributes:
• ms-FVE-RecoveryPassword
This attribute contains the 48-digit recovery password used to recover a BitLocker-
encrypted disk volume. Users enter this password to unlock a volume when BitLocker
enters recovery mode.
• ms-FVE-RecoveryGuid
This attribute contains the GUID associated with a BitLocker recovery password. In
BitLocker's recovery mode, this GUID is displayed to the user so that the correct
recovery password can be located to unlock the volume. This GUID is also included
in the name of the recovery object.
• ms-FVE-VolumeGuid
This attribute contains the GUID associated with a BitLocker-supported disk volume.
While the password (stored in ms-FVE-RecoveryGuid) is unique for each recovery
password, this volume identifier is unique for each BitLocker-encrypted volume.
• ms-FVE-KeyPackage
 8
This attribute contains a volume's BitLocker encryption key secured by the
corresponding recovery password.
With this key package and the recovery password (stored in ms-FVE-
RecoveryPassword), you can decrypt portions of a BitLocker-protected volume if the
disk is corrupted. Each key package will work only for a volume that has the
corresponding volume identifier (stored in ms-FVE-VolumeGuid). You must use a
specialized tool to make use of this key package.
If you tested BitLocker and Windows Vista prior to its release, you should note the
following changes that were made to the attributes of the recovery object since pre-
release or beta versions of Windows Vista:
• GUIDs added to the global catalog to facilitate forest-wide searches
(isMemberOfPartialAttributeSet)
• Use of the confidential bit for GUID attributes (bit 128 of searchFlags) removed
• Size of each attribute restricted to minimize replication slowdowns in the case of
a flooding attack on the Active Directory database (rangeUpper)
• Updated attribute descriptions for clarity (adminDescription)
• Additional bit set to save attribute values when creating copies of objects (bit 16
of searchFlags)
• Additional bit set to create a per-container index for GUID attributes (bit 2 of
searchFlags).
For more details about attribute syntax, see the schema extension file in Appendix D:
BitLockerTPMSchemaExtension.ldf File Contents.

Storage of TPM recovery information in Active Directory

There is only one TPM owner password per computer. When the TPM is initialized or
when this password is changed, the hash of the TPM ownership password gets backed
up as an attribute of the Computer object.
The common name (cn) for the TPM attribute is ms-TPM-OwnerInformation.

Configuring Active Directory

Complete the following tasks to configure Active Directory to back up BitLocker and TPM
recovery information.

Check general prerequisites

Check the following prerequisites:
 9
1. All domain controllers accessible by BitLocker-capable clients are running
Windows Server 2003 with SP1 or later. On each domain controller, click Start, right-
click My Computer, and then click the General tab.

Important
If the General tab lists Windows Server 2003 but no service pack
information, you need to upgrade. For more information about upgrading to
Windows Server 2003 with SP1, see http://go.microsoft.com/fwlink/?
LinkID=43106.

Important
The use of domain controllers running Windows Server 2000 or Windows
Server 2003 without SP1 to back up BitLocker or TPM recovery information
has not been tested and is not supported. Furthermore, these earlier
operating systems lack the Active Directory confidential flag feature used to
protect access to BitLocker and TPM recovery information.
The confidential flag is a feature available in Windows Server 2003 with SP1 and later.
With this feature, only domain administrators and appropriate delegates have Read
access to attributes marked with the confidential flag. The BitLocker and TPM schema
extension marks selected attributes as "confidential" using the "searchFlags" property.
For more information about this flag, see "How the Active Directory Schema Works" at .
BitLocker does not impose any requirements on domain or forest functional levels.
However, domain controllers running operating systems earlier than Windows
Server 2003 with SP1 should be removed from mixed-functional level environments (or
upgraded), because backed up BitLocker and TPM information will not be protected on
those domain controllers.
2. You have domain administrator privileges for the target forest.
3. You have obtained the following files:
• BitLockerTPMSchemaExtension.ldf
• Add-TPMSelfWriteACE.vbs

Extend the schema

The following procedure extends the schema to allow information to be saved in Active
Directory.
If you have installed a domain controller running Windows Server "Longhorn" Beta 3 or
later, doing so has automatically performed the required extensions to the schema, and
you do not need to complete this procedure.
If you have installed a domain controller running Windows Server "Longhorn" Beta 2, you
must upgrade the schema to sch39 or later, or complete the following procedure.
 10

To extend the Active Directory schema with BitLocker and TPM attributes
1. Log on with a domain account in the Schema Admins group. This account
must be used to extend the schema.
By default, the built-in Administrator account in the forest root domain is part of
the Schema Admins group. For more information, see the section "Granting
access rights to make schema changes" in "How the Active Directory Schema
Works" (http://go.microsoft.com/fwlink/?LinkID=79649).
2. Check that your Windows Server installation enables schema updates.
In Windows Server 2003, Active Directory schema updates are enabled by
default. For more information, including the steps required to enable schema
updates, see article 285172 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=79644).
3. Check that you have access to the domain controller that is the schema
operations master in the Active Directory forest. Schema updates can only be
performed at the schema operations master.
4. Review BitLockerTPMSchemaExtension.ldf, the LDIF file containing the
schema extension.
For background information about changes made by the schema extension, see
Background earlier in this document.
For reference information about schema extensions, see "How the Active
Directory Schema Works" (http://go.microsoft.com/fwlink/?LinkId=79649).
5. Use the Lidfde command-line tool to extend the schema on the domain
controller that serves as the schema operations master. For example, to import
the schema extension on a domain named nttest.microsoft.com, log on as a user
in the Schema Admins group, and then type the following at a command prompt:
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X"
"DC=nttest,dc=microsoft,dc=com" -k -j .
This command should be entered as one line, although it is displayed on multiple
lines for readability in this document. The trailing period (".") is part of the
command.
The use of -k suppresses "Object Already Exists" errors if the portions of the
schema already exist. The use of -j . saves an extended log file to the current
working directory.

For more information about Lidfde parameters, see article 237677 in the Microsoft
Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79650). Sample output from
running this command is included in Appendix B: Sample Ldifde output later in this
document.
 11

Set the required permissions for backing up TPM password

information
The following procedure adds an access control entry (ACE) so that backing up TPM
recovery information is possible.
A Windows Vista client can back up BitLocker recovery information under the Computer
object’s default permission. However, a Windows Vista client cannot back up TPM owner
information unless this additional ACE is added.
Appendix C: Default Permissions for a Computer Object, later in this document,
describes the default Active Directory permissions on the Computer class object that
contains the BitLocker recovery information class and the TPM owner information
attribute.

To add an ACE to allow TPM recovery information to be backed up

1. Review Add-TPMSelfWriteACE.vbs, the sample script containing the
permission extension.
2. Type the following at a command prompt, and then press ENTER:
cscript Add-TPMSelfWriteACE.vbs

This script adds a single ACE to the top-level domain object. The ACE is an inheritable
permission that allows SELF (the computer itself) to write to the ms-TPM-
OwnerInformation attribute for Computer objects in the domain.
For additional reference information, see "Using Scripts to Manage Active Directory
Security" (http://go.microsoft.com/fwlink/?LinkId=79652).
The sample script provided operates under the following assumptions:
• You have domain administrator privileges to set permissions for the top-level
domain object.
• Your target domain is the same as the domain for the user account running the
script.
For example, running the script as TESTDOMAIN\admin will extend permissions for
TESTDOMAIN. You might need to modify the sample script if you want to set
permissions for multiple domains, but do not have domain administrator accounts for
each of those domains. Find the variable strPathToDomain in the script and modify it
for your target domain, for example:
"LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com"
• Your domain is configured so that permissions inherit from the top-level domain
object to targeted Computer objects.
Permissions will not go into effect if any container in the hierarchy does not allow
inherited permissions from the parent. By default, inheritance of permissions is set by
 12
Active Directory. If you are not sure whether your configuration differs from this
default, you can continue with the setup steps to set the permission. You can then
verify your configuration as described later in this document, or by clicking the
Effective Permissions button while viewing the properties of a Computer object to
check that SELF can write the msTPM-OwnerInformation attribute.

Configure Group Policy to enable backup of BitLocker and

TPM recovery information in Active Directory
These instructions are for configuring the local policy on a Windows Vista client
computer. In a production environment, you would likely edit a Group Policy object (GPO)
that applies to computers in the domain instead.
For more information about configuring Windows Vista GPO in the domain, see the
"Managing Group Policy ADMX Files Step by Step Guide"
(http://go.microsoft.com/fwlink/?LinkId=79653).

Note
We recommend that you keep the default options when you enable each Group
Policy setting. Be sure to read the Explain text before making any changes

To enable the local policy settings to back up BitLocker and TPM recovery
information to Active Directory
1. Log on to the computer as an administrator.
2. Click Start, type the following in the Start Search box, and then click
ENTER:
gpedit.msc
3. To enable Group Policy settings to back up BitLocker recovery information to
Active Directory:
a. Open Computer Configuration, open Administrative Templates, open
Windows Components, and then open BitLocker Drive Encryption.
b. In the right pane, double-click Turn on BitLocker backup to Active
Directory.
c. Select the Enabled option.
d. Verify that the Require BitLocker backup to AD DS check box is
selected.
4. Enable Group Policy setting to back up TPM recovery information to Active
Directory.
a. Open Computer Configuration, open Administrative Templates, open
System, and then open Trusted Platform Module Services.
 13

b. In the right pane, double-click Turn on TPM backup to Active

Directory.
c. Select the Enabled option.
d. Verify that the Require TPM backup to AD DS check box is selected.

Testing Your Active Directory Configuration

By joining the Windows Vista-based client computers to the domain that you just
configured and enabling BitLocker, you can test whether BitLocker and TPM recovery
information is backed up to Active Directory successfully.
All user interfaces and programming interfaces within BitLocker and TPM Management
features will adhere to your configured Group Policy settings. When these settings are
enabled, recovery information (such as recovery passwords) will be automatically backed
up to Active Directory whenever this information is created and changed.
If you select the option to require backup, initializing the TPM or enabling BitLocker
through any method is blocked until the backup succeeds. In that case, no one will be
allowed to turn on BitLocker or initialize the TPM unless the domain controller is
configured correctly, the client computer has network connectivity to the domain
controller, and no other errors occur during the backup process.

Testing backup with Windows Vista

You should use a Windows Vista-based client computer to test backup.
BitLocker recovery information is backed up when you:
• Create a recovery password during BitLocker setup, using the wizard available
through the Control Panel.
• Create a recovery password after the disk has already been encrypted, using the
manage-bde.wsf command-line tool.
TPM recovery information is backed up when you:
• Set the TPM owner password during TPM initialization.
• Change the TPM owner password.

Sample test scenario with Windows Vista

This sample test scenario illustrates how to verify your Active Directory configuration
using Windows Vista. The included sample scripts you download assist in the test
process.
 14

Important
You should perform additional tests as required to satisfy yourself that everything
is working correctly in your environment; do not assume that this scenario will
completely test all aspects of your configuration.
Test scenarios can also vary based on your organization's policies. For example, in
organizations where users are the Creator Owner of Computer objects they join to the
domain, it might be possible for these users to read the TPM owner information for their
own Computer objects.

To perform a sample test

1. Log on to a domain controller as a domain administrator.
2. Copy the sample script files to a suitable location.
3. Open a command prompt window and change the default location to the
location of the sample script files.
4. At the command prompt type the following:
cscript List-ACEs.vbs
Expected Output: Assuming the default Add-TPMSelfWriteACE.vbs was used
and other deprecated ACEs have been removed, there should be only one ACE
related to BitLocker and the TPM:
Accessing

> AceFlags: 10

> AceType: 5

> Flags: 3

> AccessMask: 32

> ObjectType: {AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}

> InheritedObjectType: {BF967A86-0DE6-11D0-A285-00AA003049E2}

> Trustee: NT AUTHORITY\SELF

1 ACE(s) found in DC=nttest,DC=microsoft,DC=com related to BitLocker and

TPM

5. Log on as a local administrator (non-domain administrator) on a

Windows Vista client joined to the domain.
6. Click Start, type the followingin the Start Search box, and then click ENTER:
tpm.msc
 15

7. Click either the Initialize TPM or Change Owner Password link.

8. Set an owner password, and select the option to back up the information by
printing or saving to a file as needed.
Expected Output: The action will succeed without an error message.
9. Using this same account, open an elevated command prompt window, and
then change to the folder in which you have saved a copy of the sample scripts
provided with this document.

Note
To open an elevated command prompt window, right-click a command
prompt shortcut, and then click Run as Administrator.
10. At the command prompt type the following:
cscript Get-TPMOwnerInfo.vbs
Expected Output: The error “Active Directory: The directory property cannot
be found in the cache. “ No information is displayed because a non-domain
administrator should not be able to read the ms-TPM-OwnerInformation attribute.

Note
If users are the Creator Owner of Computer objects they join to the
domain, it might be possible for these users to read the TPM owner
information for their own Computer objects.
11. Log on as a domain administrator on the same client computer.
12. Using this domain administrator account, open an elevated command prompt
window, and change to the directory in which you have saved a copy of the
sample scripts provided with this document.
13. At the command prompt type the following:
cscript Get-TPMOwnerInfo.vbs
Expected Output: A string that is the hash of the password you created earlier.
As a domain administrator, you should have Read access to the ms-TPM-
OwnerInformation attribute.
14. At the elevated command prompt, type the following to create a recovery
password:
manage-bde -protectors -add -RecoveryPassword C:
Expected Output: The action will succeed without an error message.
15. At the command prompt type the following to read all BitLocker child objects
of the client computer’s Active Directory object:
cscript Get-BitLockerRecoveryInfo.vbs
 16

Expected Output: A domain administrator should see one or more recovery

passwords, including the one created in step 14.
A non-domain administrator will not be able to read these passwords.
16. Delete any created BitLocker recovery child objects using Active Directory
tools such as the Active Directory Users and Computers administrative tool. By
default, clients running Windows Vista do not have permissions to delete stale
BitLocker recovery passwords.

Troubleshooting Common Problems

The following section discusses some common potential problems and their solutions.

Access permission problems

If you are able to read backed up BitLocker and TPM recovery information using a non–
domain administrator account, check that you are running supported installations of
Windows Server on all the domain controllers in your network.

Important
Domain controllers running Windows 2000 Server or the initial release of
Windows Server 2003 are not supported for backing up BitLocker and TPM
recovery information.

Script errors
You might receive an error when you run a script. The following sections explain the
causes of and solutions for the most frequent script errors.

Get-TPMOwnerInfo.vbs
When running Get-TPMOwnerInfo.vbs, if an error appears stating "Active Directory: The
directory property cannot be found in the cache," you do not have permission to read the
TPM owner information attribute object in Active Directory.

General
If an error appears stating "The specified domain either does not exist or could not be
contacted,” ensure that the computer is joined to the domain and that network
connectivity is available.
If an error appears stating "There is no such object on the server," check that any
computer specified by name on the command line is currently connected to the network.
 17
Errors are accompanied by the line number in which the error occurred. Consult the script
source code to assist in troubleshooting the issue.

Questions and Answers

This section includes related questions that the BitLocker team has fielded since the first
release of this document.

Is this schema part of Windows Server "Longhorn"?

Yes, the schema is part of Windows Server "Longhorn". Windows Windows Server
"Longhorn" Beta 2 contains the objects that will allow backup of all BitLocker and TPM
recovery information in pre-release versions of Windows Vista. The schema update for
the released version of Windows Vista matches the changes planned for Windows Server
"Longhorn" Beta 3.

Can I apply the schema update to a Windows Server 2003-based

domain controller?
Microsoft supports BitLocker schema extensions only on Windows Server 2003 with SP1
and later and in Windows Server "Longhorn". The first release of Windows Server 2003
does not include the confidential flag feature that appropriately locks down access to
backed up recovery information.

Is this schema supported by Microsoft for production use?

Yes, this schema is supported through your normal support channels. For more
information about Microsoft support options, see http://go.microsoft.com/fwlink/?
LinkID=76619.

Is there an event log entry recorded on the client to indicate the

success or failure of the Active Directory backup?
An event log entry that indicates the success or failure of an Active Directory backup is
recorded on the client.
However, this log entry is only useful to an extent. Even though an event log entry says
"Success," the information could have been subsequently removed from Active Directory,
or BitLocker could have been reconfigured in such a way that the Active Directory
information can no longer unlock the drive (such as by removing the recovery password
key protector). In addition, it is also possible that the log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in Active Directory requires
querying Active Directory with domain administrator credentials.
 18
What if BitLocker is enabled on a computer before the computer has
joined the domain?
You might wonder what happens if BitLocker is enabled on a computer before Group
Policy has been applied to enforce backup. Will the recovery information automatically be
backed up to Active Directory when the computer joins the domain or when Group Policy
is subsequently applied?
This functionality is not available in Windows Vista. Generally, joining a computer to the
domain is the first step for new computers within an enterprise.
The BitLocker Windows Management Instrumentation (WMI) interface allows
administrators to write a script to back up or synchronize an online client's existing
recovery passwords. An administrative account can list the recovery passwords of an
unlocked volume by using the GetKeyProtectorNumericalPassword method of the
BitLocker WMI interface or the "-protectors -get" parameters of the BitLocker command-
line tool (manage-bde.wsf).

What happens if the backup initially fails? Will BitLocker retry?

If the backup initially fails, such as when a domain controller is unreachable at the time
when the BitLocker setup wizard is run, BitLocker does not try repeatedly to back up the
recovery information to Active Directory.
When an administrator selects the Require BitLocker backup to AD DS check box or
the Require TPM backup to AD DS check box, if the backup fails, BitLocker cannot be
enabled.
When an administrator clears these check boxes, the administrator is allowing a volume
to be BitLocker-encrypted without having the recovery information successfully backed
up to Active Directory, however, BitLocker will not automatically retry. Instead,
administrators can script a backup, as described in the previous question, to capture the
information after connectivity is restored.

Does BitLocker encrypt recovery information as it is sent to Active

Directory?
Yes, the transmission of recovery information from a Windows Vista client to Active
Directory is protected by using Kerberos. Specifically, the connection uses the
authentication flags ADS_SECURE_AUTHENTICATION, ADS_USE_SEALING, and
ADS_USE_SIGNING.
For more information about Active Directory authentication flags, see
http://go.microsoft.com/fwlink/?LinkId=79643.
 19

Note
Once recovery information is transmitted, Active Directory does not store the
BitLocker and TPM recovery information in an encrypted format. However,
access control permissions are set so that only domain administrators or
appropriate delegates can read the stored information when the server is online.
Enterprises concerned about offline attacks on branch office servers should
consider enabling BitLocker on those servers, once they are upgraded to
Windows Server "Longhorn".

Appendix A: Checking BitLocker and

TPM Schema Objects
To enable the backup of BitLocker and TPM recovery information in Active Directory, a
total of six schema objects are created in the Active Directory schema.
You can use the following procedure to verify whether these objects exist in your Active
Directory installation.

To examine and verify BitLocker and TPM schema objects

1. Log on to the domain controller with an account in the Domain Admins group.
2. Open the ADSI Edit snap-in. Click Start, click Run, type adsiedit.msc, and
then click OK.

Note
This snap-in is in Windows Support Tools. To download the Windows
Support Tools for Windows Server 2003 with Service Pack 1, see
http://go.microsoft.com/fwlink/?LinkID=70775.
3. Open the Schema container, and then open the folder containing available
schema objects (see the following figure).
4. Find by name the following schema objects:
• CN= ms-FVE-KeyPackage – attributeSchema object
• CN=ms-FVE-RecoveryGuid – attributeSchema object
• CN=ms-FVE-RecoveryInformation – classSchema object
• CN=ms-FVE-RecoveryPassword – attributeSchema object
• CN=ms-FVE-VolumeGuid – attributeSchema object
• CN=ms-TPM-OwnerInformation – attributeSchema object

The following screen image represents a typical search for schema objects:
 20

Appendix B: Sample Ldifde output

The following sample represents typical output from running the BitLocker and TPM
Schema extension command of the Ldifde tool and BitLockerTPMSchemaExtension.ldf.

Note
Your on-screen display might differ due to line wrapping required to display or
print this output.

Sample Output
D:\ad>ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X"
"DC=black,DC=nttest,dc=corp,dc=microsoft,dc=com" -k -j .

Connecting to "x-hp-test-serve.black.nttest.corp.microsoft.com"

Logging in as current user using SSPI

Importing directory from file "RC1BitLockerTPMSchemaExtension.ldf"

Loading entries
 21
1: CN=ms-TPM-
OwnerInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com

Entry modified successfully.

2: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com

Entry modified successfully.

3: CN=ms-FVE-
RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com

Entry modified successfully.

4: (null)

Entry modified successfully.

5: CN=ms-FVE-
RecoveryInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=micro
soft,dc=com

Entry modified successfully.

6:
CN=computer,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc=
com

Entry modified successfully.

7: (null)

Entry modified successfully.

8: CN=ms-FVE-
VolumeGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc=c
om

Entry modified successfully.

 22
9: CN=ms-FVE-
KeyPackage,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc=c
om

Entry modified successfully.

10: (null)

Entry modified successfully.

11: CN=ms-FVE-
RecoveryInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=micro
soft,dc=com

Entry modified successfully.

12: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com

Entry modified successfully.

13: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com

Entry modified successfully.

14: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com

Entry modified successfully.

15: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com

Entry modified successfully.

16: CN=ms-FVE-
RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com
 23
Entry modified successfully.

17: CN=ms-FVE-
RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com

Entry modified successfully.

18: CN=ms-FVE-
RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com

Entry modified successfully.

19: CN=ms-TPM-
OwnerInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com

Entry modified successfully.

20: CN=ms-TPM-
OwnerInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com

Entry modified successfully.

20 entries modified successfully.

The command has completed successfully

Appendix C: Default Permissions for a

Computer Object
The default permissions for an Active Directory Computer object in Windows Server 2003
are:
Account operators
 24
• Full control
Domain administrators
• Full control
System
• Full control
Authenticated users
• Read, Read Account Restrictions, Read DNS Host Name Attributes, Read
Personal Information, Read Public Information
• Special: List contents, Read All Properties, Read Permissions
Creator owner
• Read, Allowed to authenticate, Change Password, Receive As, Reset Password,
Send As, Validated write to DNS host name, Validated write to service principal
name, Read Account Restrictions, Write Account Restrictions, Read DNS Host Name
Attributes, Read Personal Information, Read Public Information
• Special: List contents, Read All properties, Delete, Delete Subtree, Read
Permissions, All Extended rights, Allowed to authenticate, change password, receive
as, reset password, Send As
• Write Account Restrictions
• Validated Write to DNS host name
• Validated Write to service principal name
• Write computer name (pre-Windows 2000)
• Write description
Everyone
• Change password
Print operator
• Create/Delete printer objects
Self
• Create All Child Objects
• Delete All Child Objects
• Various other applicationVersion and property objects
• Validated write to service principal name
• Read/write personal information
• Validated write to DNS host name
Windows Authorization Access Group
• Read property (tokenGroupsGlobalAndUniversal)
 25
Cert Publishers
• Read userCertificate
• Write userCertificate

Appendix D:
BitLockerTPMSchemaExtension.ldf
File Contents
The following is the contents of the BitLockerTPMSchemaExtension.ldf file, which can be
used to extend the Active Directory schema from Windows Server 2003 with SP1 to
support backing up recovery information for BitLocker and the TPM owner password in
Active Directory.
To use this file to extend the schema, you should be familiar with the Ldifde command,
which must be run on the domain controller holding the schema operations master role
for the forest.

Note
To download this file, see http://go.microsoft.com/fwlink/?LinkId=78953.

File contents
Note
Some lines might appear split into multiple lines for display or printing.
#=====================================================================
#
# Active Directory Domain Services schema extension for
# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
#
# This file contains attributes and class objects that enable
# Windows Server 2003 SP1 and Windows Server 2003 R2 domain controllers
# to store BitLocker and TPM recovery information.
#
# Change History:
# 11/2005 - Schema additions for Vista Beta 2 (matches "Longhorn" Server Beta 2)
# 5/2006 - Schema additions and updates for Vista RC1 (matches "Longhorn"
Server Beta 3)
#
# NOTE: A schema extension is not necessary if the forest includes an installation
# of Windows Server Codename "Longhorn".
#
# To extend the schema, use the LDIFDE tool on the schema master of the forest.
 26
#
# Sample command:
# ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X"
"DC=nttest,dc=microsoft,dc=com" -k -j .
#
# For more information on LDIFDE tool, see
# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677
#
# See related guide for setting up Active Directory Domain Services
# for BitLocker and TPM recovery.
#
#=====================================================================

#=====================================================================
# [Vista Beta 2 and up] TPM Recovery Information - Attributes
#=====================================================================

#
# ms-TPM-OwnerInformation
#
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msTPM-OwnerInformation
adminDisplayName: TPM-OwnerInformation
adminDescription: This attribute contains the owner information of a particular
TPM.
attributeId: 1.2.840.113556.1.4.1966
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 136
schemaIdGuid:: bRpOqg1VBU6MNUr8uRep/g==
showInAdvancedViewOnly: TRUE

#======================================================================
# [Vista Beta 2 and up] Bitlocker Recovery Information - Attributes
# NOTE: FVE is the acronym for Full Volume Encryption, a pre-release name
#=====================================================================

#
# ms-FVE-RecoveryGuid
#
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryGuid
adminDisplayName: FVE-RecoveryGuid
adminDescription: This attribute contains the GUID associated with a Full Volume
Encryption (FVE) recovery password.
 27
attributeID: 1.2.840.113556.1.4.1965
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 137
schemaIdGuid:: vAlp93jmoEews/hqAETAbQ==
showInAdvancedViewOnly: TRUE

#
# ms-FVE-RecoveryPassword
#
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryPassword
adminDisplayName: FVE-RecoveryPassword
adminDescription: This attribute contains the password required to recover a Full
Volume Encryption (FVE) volume.
attributeId: 1.2.840.113556.1.4.1964
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 136
schemaIdGuid:: wRoGQ63IzEy3hSv6wg/GCg==
showInAdvancedViewOnly: TRUE

#=====================================================================
# [Vista Beta 2 and up] Attributes - Schema Update
#======================================================================

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

#=====================================================================
# [Vista Beta 2 and up] BitLocker Recovery Information - Class
#=====================================================================

#
# ms-FVE-RecoveryInformation
#
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msFVE-RecoveryInformation
adminDisplayName: FVE-RecoveryInformation
adminDescription: This class contains a Full Volume Encryption recovery password
with its associated GUID.
 28
governsID: 1.2.840.113556.1.5.253
objectClassCategory: 1
subClassOf: top
systemMustContain: msFVE-RecoveryGuid
systemMustContain: msFVE-RecoveryPassword
systemPossSuperiors: computer
schemaIdGUID:: MF1x6lOP0EC9HmEJGG14LA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
defaultHidingValue: TRUE
defaultObjectCategory: CN=ms-FVE-
RecoveryInformation,CN=Schema,CN=Configuration,DC=X

#=====================================================================
# [Vista Beta 2 and up] Classes - Schema Update
#=====================================================================

dn: CN=computer,CN=Schema,CN=Configuration,DC=X
#changetype: ntdsSchemaModify
changetype: modify
add: mayContain
mayContain: msTPM-OwnerInformation
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

#=====================================================================
# [Vista RC1 and up] Bitlocker Recovery Information - Additional Attributes
#=====================================================================

#
# ms-FVE-VolumeGuid
#
dn: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-VolumeGuid
adminDisplayName: FVE-VolumeGuid
adminDescription: This attribute contains the GUID associated with a BitLocker-
supported disk volume. Full Volume Encryption (FVE) was the pre-release name for
BitLocker Drive Encryption.
attributeID: 1.2.840.113556.1.4.1998
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 27
schemaIdGuid:: z6Xlhe7cdUCc/aydtqLyRQ==
 29
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
rangeUpper: 128

#
# ms-FVE-KeyPackage
#
dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-KeyPackage
adminDisplayName: FVE-KeyPackage
adminDescription: This attribute contains a volume's BitLocker encryption key
secured by the corresponding recovery password. Full Volume Encryption (FVE) was
the pre-release name for BitLocker Drive Encryption.
attributeId: 1.2.840.113556.1.4.1999
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 152
schemaIdGuid:: qF7VH6eI3EeBKQ2qlxhqVA==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: FALSE
rangeUpper: 102400

#=====================================================================
# [Vista RC1 and up] Additional Attributes - Schema Update
#=====================================================================

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

#=====================================================================
# [Vista RC1 and up] Updates to BitLocker Recovery Information Class
#======================================================================

dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This class contains BitLocker recovery information including
GUIDs, recovery passwords, and keys. Full Volume Encryption (FVE) was the pre-
release name for BitLocker Drive Encryption.
-

dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: mayContain
mayContain: msFVE-VolumeGuid
mayContain: msFVE-KeyPackage
 30
-

#=====================================================================
# [Vista RC1 and up] Updates to pre-RC1 Attributes
#=====================================================================

#
# Updates to ms-TPM-OwnerInformation
#

dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 152
-

dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 128
-

#
# Updates to ms-FVE-RecoveryGuid
#

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This attribute contains the GUID associated with a BitLocker
recovery password. Full Volume Encryption (FVE) was the pre-release name for
BitLocker Drive Encryption.
-

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 27
-

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 128
-

dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
 31

#
# Updates to ms-FVE-RecoveryPassword
#

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This attribute contains a password that can recover a BitLocker-
encrypted volume. Full Volume Encryption (FVE) was the pre-release name for
BitLocker Drive Encryption.
-

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 152
-

dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 256
-

#
# Reload the schema cache to pick up updated attributes
#

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

Appendix E: Add-TPMSelfWriteACE.vbs
File Contents
The following is the contents of the Add-TPMSelfWriteACE.vbs file, which can be used to
add the required access control entry to allow nextref_vista clients to back up the TPM
owner password recovery information in Active Directory.

Note
To download this file, see http://go.microsoft.com/fwlink/?LinkId=78953.
 32

File contents
'===============================================================================
'
' This script demonstrates the addition of an Access Control Entry (ACE)
' to allow computers to write Trusted Platform Module (TPM)
' recovery information to Active Directory.
'
' This script creates a SELF ACE on the top-level domain object, and
' assumes that inheritance of ACL's from the top-level domain object to
' down-level computer objects are enabled.
'
' Reference: "Using Scripts to Manage Active Directory Security"
' http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx
' and MSDN documentation.
'
' Last Updated: August 2006
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support
program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without
limitation,
' any implied warranties of merchantability or of fitness for a particular
purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for
loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
'===============================================================================

' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants
' --------------------------------------------------------------------------------

'- From the ADS_ACETYPE_ENUM enumeration

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 'Allows an object to do
something

'- From the ADS_ACEFLAG_ENUM enumeration

Const ADS_ACEFLAG_INHERIT_ACE = &H2 'ACE can be inherited to
child objects
 33
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8 'ACE does NOT apply to target
(parent) object

'- From the ADS_RIGHTS_ENUM enumeration

Const ADS_RIGHT_DS_WRITE_PROP = &H20 'The right to write object
properties
Const ADS_RIGHT_DS_CREATE_CHILD = &H1 'The right to create child
objects

'- From the ADS_FLAGTYPE_ENUM enumeration

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1 'Target object type is
present in the ACE
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2 'Target inherited object type
is present in the ACE

' --------------------------------------------------------------------------------
' TPM and FVE schema object GUID's
' --------------------------------------------------------------------------------

'- ms-TPM-OwnerInformation attribute

SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"

'- ms-FVE-RecoveryInformation object

SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"

'- Computer object

SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"

'Reference: "Platform SDK: Active Directory Schema"

' --------------------------------------------------------------------------------
' Set up the ACE to allow write of TPM owner information
' --------------------------------------------------------------------------------

Set objAce1 = createObject("AccessControlEntry")

objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE

objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT +
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

objAce1.Trustee = "SELF"
objAce1.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objAce1.ObjectType = SCHEMA_GUID_MS_TPM_OWNERINFORMATION
objAce1.InheritedObjectType = SCHEMA_GUID_COMPUTER

' --------------------------------------------------------------------------------
 34
' NOTE: BY default, the "SELF" computer account can create
' BitLocker recovery information objects and write BitLocker recovery properties
'
' No additional ACE's are needed.
' --------------------------------------------------------------------------------

' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")

strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g.
string dc=fabrikam,dc=com

Set objDomain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")

Set objDescriptor = objDomain.Get("ntSecurityDescriptor")

Set objDacl = objDescriptor.DiscretionaryAcl

' --------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
' --------------------------------------------------------------------------------

objDacl.AddAce objAce1

objDescriptor.DiscretionaryAcl = objDacl
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo

WScript.Echo "SUCCESS!"

Appendix F: Sample Test Scripts

The following are the contents of three sample test scripts that can be used to help verify
your Active Directory configuration to support backing up recovery information for
BitLocker and the TPM owner password to Active Directory.
• List-ACEs.vbs
• Get-TPMOwnerInfo.vbs
• Get-BitLockerRecoveryInfo.vbs
You can get usage information for each script by running the script with the -? parameter.
 35

Note
To download these files, see http://go.microsoft.com/fwlink/?LinkId=78953.

List-ACEs.vbs
This script lists or removes the access control entries (ACEs) configured on BitLocker
and TPM schema objects for the top-level domain. You can use this script to ensure that
the expected ACEs have been added appropriately or to remove any ACEs related to
BitLocker or the TPM.

Note
On a completed configuration without any delegation of permissions, there
should be only one ACE related to the TPM.

File contents
'===============================================================================
'
' This script lists the access control entries (ACE's) configured on
' Trusted Platform Module (TPM) and BitLocker Drive Encryption (BDE) schema
objects
' for the top-level domain.
'
' Use this script to check that the correct permissions have been set.
' Also use this script to remove TPM and BitLocker ACE's from the top-level
domain.
'
' Reference: "Using Scripts to Manage Active Directory Security"
' http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx
' and MSDN documentation.
'
' Last Updated: 1/30/2006
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support
program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without
limitation,
' any implied warranties of merchantability or of fitness for a particular
purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for
loss
 36
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
'===============================================================================

' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------

Sub ShowUsage
Wscript.Echo "USAGE: List-ACEs"
Wscript.Echo "List access permissions for BitLocker and TPM schema objects"
Wscript.Echo ""
Wscript.Echo "USAGE: List-ACEs -remove"
Wscript.Echo "Removes access permissions for BitLocker and TPM schema objects"
WScript.Quit
End Sub

' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count

Case 0
' do nothing - checks for ACE's
removeACE = False

Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
If UCase(args(0)) = "-REMOVE" Then
removeACE = True
End If
End If

Case Else
ShowUsage

End Select

' --------------------------------------------------------------------------------
' Configuration of the filter to show/remove only ACE's for BDE and TPM objects
' --------------------------------------------------------------------------------

'- ms-TPM-OwnerInformation attribute

 37
SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"

'- ms-FVE-RecoveryInformation object

SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"

' Use this filter to list/remove only ACEs related to TPM and BitLocker

aceGuidFilter = Array(SCHEMA_GUID_MS_TPM_OWNERINFORMATION, _
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION)

' Note to script source reader:

' Uncomment the following line to turn off the filter and list all ACEs
'aceGuidFilter = Array()

' --------------------------------------------------------------------------------
' Helper functions related to the list filter for listing or removing ACE's
' --------------------------------------------------------------------------------

Function IsFilterActive()

If Join(aceGuidFilter) = "" Then

IsFilterActive = False
Else
IsFilterActive = True
End If

End Function

Function isAceWithinFilter(ace)

aceWithinFilter = False ' assume first not pass the filte

For Each guid In aceGuidFilter

If ace.ObjectType = guid Or ace.InheritedObjectType = guid Then

isAceWithinFilter = True
End If
Next

End Function

Sub displayFilter
For Each guid In aceGuidFilter
WScript.echo guid
Next
End Sub

' --------------------------------------------------------------------------------
 38
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")

strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g.
dc=fabrikam,dc=com

Set domain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + domain.Get("distinguishedName")

WScript.Echo ""

Set descriptor = domain.Get("ntSecurityDescriptor")

Set dacl = descriptor.DiscretionaryAcl

' --------------------------------------------------------------------------------
' Show Access Control Entries (ACE's)
' --------------------------------------------------------------------------------

' Loop through the existing ACEs, including all ACEs if the filter is not active

i = 1 ' global index

c = 0 ' found count - relevant if filter is active

For Each ace In dacl

If IsFilterActive() = False or isAceWithinFilter(ace) = True Then

' note to script source reader:

' echo i to show the index of the ACE

WScript.echo "> AceFlags: " & ace.AceFlags

WScript.echo "> AceType: " & ace.AceType
WScript.echo "> Flags: " & ace.Flags
WScript.echo "> AccessMask: " & ace.AccessMask
WScript.echo "> ObjectType: " & ace.ObjectType
WScript.echo "> InheritedObjectType: " & ace.InheritedObjectType
WScript.echo "> Trustee: " & ace.Trustee
WScript.echo ""

if IsFilterActive() = True Then

c = c + 1

' optionally include this ACE in removal list if configured

' note that the filter being active is a requirement since we don't
' want to accidentially remove all ACEs

If removeACE = True Then

dacl.RemoveAce ace
End If
 39

end if

End If

i = i + 1

Next

' Display number of ACEs found

If IsFilterActive() = True Then

WScript.echo c & " ACE(s) found in " & domain.Get("distinguishedName") _

& " related to BitLocker and TPM" 'note to script source reader:
change this line if you configure your own filter

' note to script source reader:

' uncomment the following lines if you configure your own filter
'WScript.echo ""
'WScript.echo "The following filter was active: "
'displayFilter
'Wscript.echo ""

Else

i = i - 1
WScript.echo i & " total ACE(s) found in " & domain.Get("distinguishedName")

End If

' --------------------------------------------------------------------------------
' Optionally remove ACE's on a filtered list
' --------------------------------------------------------------------------------

if removeACE = True and IsFilterActive() = True then

descriptor.DiscretionaryAcl = dacl
domain.Put "ntSecurityDescriptor", Array(descriptor)
domain.setInfo

WScript.echo c & " ACE(s) removed from " & domain.Get("distinguishedName")

else

if removeACE = True then

WScript.echo "You must specify a filter to remove ACEs from " &
domain.Get("distinguishedName")
 40
end if

end if

Get-TPMOwnerInfo.vbs
This script demonstrates the retrieval of TPM recovery information from Active Directory
for a particular computer. You can use this script to test that only domain administrators
(or delegated roles) can read backed up TPM recovery information, and that the
information is being backed up correctly.

File contents
'=================================================================================
'
' This script demonstrates the retrieval of Trusted Platform Module (TPM)
' recovery information from Active Directory for a particular computer.
'
' It returns the TPM owner information stored as an attribute of a
' computer object.
'
' Change History:
' 1/30/2006 - Initial release
' 5/15/2006 - Updated GetStrPathToComputer to search the global catalog.
'
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support
program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without
limitation,
' any implied warranties of merchantability or of fitness for a particular
purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for
loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
'=================================================================================
 41

' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------

Sub ShowUsage
Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]"
Wscript.Echo "If no computer name is specified, the local computer is assumed."
WScript.Quit
End Sub

' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count

Case 0
' Get the name of the local computer
Set objNetwork = CreateObject("WScript.Network")
strComputerName = objNetwork.ComputerName

Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strComputerName = args(0)
End If

Case Else
ShowUsage

End Select

' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName)

' Uses the global catalog to find the computer in the forest
' Search also includes deleted computers in the tombstone

Set objRootLDAP = GetObject("LDAP://rootDSE")

namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string
dc=fabrikam,dc=com

strBase = "<GC://" & namingContext & ">"

 42

Set objConnection = CreateObject("ADODB.Connection")

Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))"

strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"

objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 100
objCommand.Properties("Cache Results") = False

' Enumerate all objects found.

Set objRecordSet = objCommand.Execute

If objRecordSet.EOF Then
WScript.echo "The computer name '" & strComputerName & "' cannot be found."
WScript.Quit 1
End If

' Found object matching name

Do Until objRecordSet.EOF
dnFound = objRecordSet.Fields("distinguishedName")
GetStrPathToComputer = "LDAP://" & dnFound
objRecordSet.MoveNext
Loop

' Clean up.

Set objConnection = Nothing
Set objCommand = Nothing
Set objRecordSet = Nothing

End Function

' --------------------------------------------------------------------------------
' Securely access the Active Directory computer object using Kerberos
' --------------------------------------------------------------------------------

Set objDSO = GetObject("LDAP:")

strPath = GetStrPathToComputer(strComputerName)

WScript.Echo "Accessing object: " + strPath

Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
 43

Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _

ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING +
ADS_USE_SIGNING)

' --------------------------------------------------------------------------------
' Get the TPM owner information from the Active Directory computer object
' --------------------------------------------------------------------------------

strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation

Get-BitLockerRecoveryInfo.vbs
This script demonstrates the retrieval of all BitLocker recovery information from Active
Directory for a particular computer. You can use this script to ensure that only domain
administrators (or delegated roles) can read the BitLocker recovery information backed
up in Active Directory and that it has been backed up correctly.

File contents
'===============================================================================
'
' This script demonstrates the retrieval of BitLocker Drive Encryption (BDE)
' recovery information from Active Directory for a particular computer.
'
' It returns all recovery passwords and associated GUIDs for a particular
' computer object.
'
' Change History:
' 1/30/2006 - Initial release
' 5/15/2006 - Added ConvertOctetGuidToHexString to remove dependency to ADs.DLL
' and converted GUID to correct byte order before printing.
' - Updated GetStrPathToComputer to search the global catalog.
'
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support
program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without
limitation,
' any implied warranties of merchantability or of fitness for a particular
purpose.
' The entire risk arising out of the use or performance of the sample scripts and
 44
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for
loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
'===============================================================================

' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------

Sub ShowUsage
Wscript.Echo "USAGE: Get-BitLockerRecoveryInfo [Optional Computer Name]"
Wscript.Echo "If no computer name is specified, the local computer is assumed."
WScript.Quit
End Sub

' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count

Case 0
' Get the name of the local computer
Set objNetwork = CreateObject("WScript.Network")
strComputerName = objNetwork.ComputerName

Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strComputerName = args(0)
End If

Case Else
ShowUsage

End Select

' --------------------------------------------------------------------------------
' Helper function: Convert the octet GUID string (byte array) to a hex string
' --------------------------------------------------------------------------------

'Reference: http://blogs.msdn.com/ericlippert/archive/2004/05/25/141525.aspx
 45

Function HexByte(b)
HexByte = Right("0" & Hex(b), 2)
End Function

Function ConvertOctetGuidToHexString(ByteArray)
Dim Binary, S
Binary = CStr(ByteArray)

On Error Resume Next

S = "{"
S = S & HexByte(AscB(MidB(Binary, 4, 1)))
S = S & HexByte(AscB(MidB(Binary, 3, 1)))
S = S & HexByte(AscB(MidB(Binary, 2, 1)))
S = S & HexByte(AscB(MidB(Binary, 1, 1)))
S = S & "-"
S = S & HexByte(AscB(MidB(Binary, 6, 1)))
S = S & HexByte(AscB(MidB(Binary, 5, 1)))
S = S & "-"
S = S & HexByte(AscB(MidB(Binary, 8, 1)))
S = S & HexByte(AscB(MidB(Binary, 7, 1)))
S = S & "-"
S = S & HexByte(AscB(MidB(Binary, 9, 1)))
S = S & HexByte(AscB(MidB(Binary, 10, 1)))
S = S & "-"
S = S & HexByte(AscB(MidB(Binary, 11, 1)))
S = S & HexByte(AscB(MidB(Binary, 12, 1)))
S = S & HexByte(AscB(MidB(Binary, 13, 1)))
S = S & HexByte(AscB(MidB(Binary, 14, 1)))
S = S & HexByte(AscB(MidB(Binary, 15, 1)))
S = S & HexByte(AscB(MidB(Binary, 16, 1)))
S = S & "}"

On Error GoTo 0

ConvertOctetGuidToHexString = S
End Function

' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName)

' Uses the global catalog to find the computer in the forest
' Search also includes deleted computers in the tombstone

Set objRootLDAP = GetObject("LDAP://rootDSE")

namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string
dc=fabrikam,dc=com
 46

strBase = "<GC://" & namingContext & ">"

Set objConnection = CreateObject("ADODB.Connection")

Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))"

strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"

objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 100
objCommand.Properties("Cache Results") = False

' Enumerate all objects found.

Set objRecordSet = objCommand.Execute

If objRecordSet.EOF Then
WScript.echo "The computer name '" & strComputerName & "' cannot be found."
WScript.Quit 1
End If

' Found object matching name

Do Until objRecordSet.EOF
dnFound = objRecordSet.Fields("distinguishedName")
GetStrPathToComputer = "LDAP://" & dnFound
objRecordSet.MoveNext
Loop

' Clean up.

Set objConnection = Nothing
Set objCommand = Nothing
Set objRecordSet = Nothing

End Function

' --------------------------------------------------------------------------------
' Securely access the Active Directory computer object using Kerberos
' --------------------------------------------------------------------------------

Set objDSO = GetObject("LDAP:")

strPathToComputer = GetStrPathToComputer(strComputerName)

WScript.Echo "Accessing object: " + strPathToComputer

 47
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80

' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' --------------------------------------------------------------------------------

' Get all the recovery information child objects of the computer object

Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString,

vbNullString, _
ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING +
ADS_USE_SIGNING)

objFveInfos.Filter = Array("msFVE-RecoveryInformation")

' Iterate through each recovery information object

For Each objFveInfo in objFveInfos

strName = objFveInfo.Get("name")

strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid")
strRecoveryGuid = ConvertOctetGuidToHexString(strRecoveryGuidOctet)

strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")

WScript.echo
WScript.echo "name: " + strName
WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
WScript.echo "msFVE-RecoveryPassword: " + strRecoveryPassword

If len(strRecoveryGuid) <> 38 Then

WScript.echo "WARNING: '" & strRecoveryGuid & "' does not appear to be a
valid GUID."
End If

Next

WScript.Quit