In order for Casper Secure Tech Edition to unlock BitLocker volumes using AD DS, the user must have access to the
ms-FVE-RecoveryInformation object within AD where the BitLocker recovery password(s) are stored. Domain Administrators have access to
ms-FVE-RecoveryInformation objects by default. Other users must be delegated access.
Domain administrators can delegate access to the
ms-FVE-RecoveryInformation object within AD as follows:
Create a new Security Group in AD (e.g., "BitLocker Admins")
- Start Active Directory Users and Computers
- Right-click Users and select New -> Group
- Enter the desired group name (e.g., "BitLocker Admins") and select Security for the group type.
- Group name: BitLocker Admins Group scope: Global Group type: Security
Grant control access and read property permissions to the new Security Group ("BitLocker Admins")
- Download DelegateBitLockerRecovery.zip and extract the DelegateBitLockerRecovery.vbs script
- Edit the DelegateBitLockerRecovery.vbs script and change strGroupName to the group created above (e.g., srGroupName="DOMAIN\BitLocker Admins")
- Open a command prompt as administrator and run the DelegateBitLocker.vbs script:
cscript DelegateBitLocker.vbs
- Start WmiMgmt (wmimgmt.msc)
- Connect to the remote computer that represents the Primary Domain Controller for the domain (e.g., "DC1")
- Right-click on WMI Control and select Properties to open the WMI Control (DC1) Properties dialog.
- On the Security tab, navigate to and select the Root\directory\LDAP node
- Click Security
- Click Add
- Type the name of the group created above (e.g., "BitLocker Admins") and click OK
- Under the Allow column, check Execute Methods, Enable Account, and Remote Enable
- Click OK to apply the new permissions and close the Security for ROOT\directory\LDAP dialog
THIS ARTICLE APPLIES TO:
- Casper Secure Tech Edition