Академический Документы
Профессиональный Документы
Культура Документы
Abstract
Windows® BitLocker™ Drive Encryption (BitLocker) is a new feature in the
Windows Vista™ and Microsoft® Windows Server® Code Name "Longhorn" operating
systems that provides better offline data protection for your computer. This feature is
enhanced by the use of a Trusted Platform Module (TPM).
This guide includes requirements and procedures for configuring Active Directory® in
Microsoft Windows Server® 2003 to support the recovery of information protected by
BitLocker, with or without the use of a TPM.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2006 Microsoft Corporation. All rights reserved.
Active Directory, BitLocker, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows,
Windows NT, Windows Server, and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Contents
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted
Platform Module Recovery Information...........................................................................1
Abstract.......................................................................................................................1
Contents.............................................................................................................................3
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted
Platform Module Recovery Information ..............................................................5
Overview.........................................................................................................................5
Required files..............................................................................................................6
Background.....................................................................................................................6
Storage of BitLocker recovery information in Active Directory.....................................7
Storage of TPM recovery information in Active Directory............................................8
Configuring Active Directory............................................................................................8
Check general prerequisites........................................................................................8
Extend the schema......................................................................................................9
Set the required permissions for backing up TPM password information..................11
Configure Group Policy to enable backup of BitLocker and TPM recovery information
in Active Directory..................................................................................................12
Testing Your Active Directory Configuration..................................................................13
Testing backup with Windows Vista...........................................................................13
Sample test scenario with Windows Vista.................................................................13
Troubleshooting Common Problems.............................................................................16
Access permission problems.....................................................................................16
Script errors...............................................................................................................16
Get-TPMOwnerInfo.vbs.........................................................................................16
General..................................................................................................................16
Questions and Answers................................................................................................17
Is this schema part of Windows Server "Longhorn"?.............................................17
Can I apply the schema update to a Windows Server 2003-based domain
controller?...........................................................................................................17
Is this schema supported by Microsoft for production use?...................................17
Is there an event log entry recorded on the client to indicate the success or failure
of the Active Directory backup?..........................................................................17
What if BitLocker is enabled on a computer before the computer has joined the
domain?..............................................................................................................18
What happens if the backup initially fails? Will BitLocker retry?.............................18
Does BitLocker encrypt recovery information as it is sent to Active Directory?......18
Overview
This document describes how to configure Active Directory® to back up recovery
information for Windows® BitLocker™ Drive Encryption (BitLocker) and the Trusted
Platform Module (TPM). Recovery information includes the recovery password for each
BitLocker-enabled volume, the TPM owner password, and the information required to
identify which computers and volumes the recovery information applies to. Optionally, you
can also save a package containing the actual keys used to encrypt the data as well as
the recovery password required to access those keys.
Note
Active Directory is known as Active Directory Domain Services in Microsoft®
Windows Server® Code Name "Longhorn".
Backing up recovery passwords for a BitLocker-protected disk volume allows
administrators to recover the volume if it is locked. This ensures that encrypted data
belonging to the enterprise can always be accessed by authorized users.
Backing up the TPM owner information for a computer allows administrators to locally
and remotely configure the TPM security hardware on that computer. As an example, an
administrator might want to reset the TPM to factory defaults when decommissioning or
repurposing computers.
Important
You can save recovery information in Active Directory if your domain controllers
are running Microsoft® Windows Server® 2003 with Service Pack 1 (SP1),
Windows Server 2003 R2, or Windows Server "Longhorn". You cannot save
recovery information in Active Directory if the domain controller is running a
version of Windows Server earlier than Windows Server 2003 with SP1.
If you are testing a pre-release version of Windows Server "Longhorn", follow the same
process described for Windows Server 2003 with SP1 or later, with one exception: if you
have installed the Beta 3 release of Windows Server "Longhorn" or newer, you do not
need to update the schema as described later in this document.
6
Important
Perform these steps in a test or pre-production environment prior to rolling out to
production environments.
Required files
The following sample scripts and LDF file available from Microsoft are required to
configure Active Directory for backing up recovery information:
• Add-TPMSelfWriteACE.vbs
• BitLockerTPMSchemaExtension.ldf
• List-ACEs.vbs
• Get-TPMOwnerInfo.vbs
• Get-BitLockerRecoveryInfo.vbs
To download the files, see http://go.microsoft.com/fwlink/?LinkId=78953. The contents of
these files and other useful information are included in the following appendices:
• Appendix A: Checking BitLocker and TPM Schema Objects
• Appendix B: Sample Ldifde output
• Appendix C: Default Permissions for a Computer Object
• Appendix D: BitLockerTPMSchemaExtension.ldf File Contents
• Appendix E: Add-TPMSelfWriteACE.vbs File Contents
• Appendix F: Sample Test Scripts
Note
If you tested a pre-release or beta version of Windows Vista, and configured your
Active Directory installation with earlier versions of the scripts or schema
extensions, you must use ensure that you use the final, released versions of
these files. In addition, if you ran an earlier version of List-ACEs.vbs, you must
remove the previously-added BitLocker-related access control entries (ACEs)
before proceeding.
Background
This section provides information about how BitLocker and TPM recovery information can
be backed up in Active Directory.
By default, no recovery information is backed up. Administrators can configure Group
Policy settings to enable backup of BitLocker or TPM recovery information. Before
configuring these settings, as a domain administrator you must ensure that the Active
7
Directory schema has been extended with the necessary storage locations and that
access permissions have been granted to perform the backup.
You should also configure Active Directory before configuring BitLocker on client
computers. If BitLocker is enabled first, recovery information for those computers will not
be added to Active Directory. For more information, see the section Questions and
Answers later in this document.
Important
If the General tab lists Windows Server 2003 but no service pack
information, you need to upgrade. For more information about upgrading to
Windows Server 2003 with SP1, see http://go.microsoft.com/fwlink/?
LinkID=43106.
Important
The use of domain controllers running Windows Server 2000 or Windows
Server 2003 without SP1 to back up BitLocker or TPM recovery information
has not been tested and is not supported. Furthermore, these earlier
operating systems lack the Active Directory confidential flag feature used to
protect access to BitLocker and TPM recovery information.
The confidential flag is a feature available in Windows Server 2003 with SP1 and later.
With this feature, only domain administrators and appropriate delegates have Read
access to attributes marked with the confidential flag. The BitLocker and TPM schema
extension marks selected attributes as "confidential" using the "searchFlags" property.
For more information about this flag, see "How the Active Directory Schema Works" at .
BitLocker does not impose any requirements on domain or forest functional levels.
However, domain controllers running operating systems earlier than Windows
Server 2003 with SP1 should be removed from mixed-functional level environments (or
upgraded), because backed up BitLocker and TPM information will not be protected on
those domain controllers.
2. You have domain administrator privileges for the target forest.
3. You have obtained the following files:
• BitLockerTPMSchemaExtension.ldf
• Add-TPMSelfWriteACE.vbs
To extend the Active Directory schema with BitLocker and TPM attributes
1. Log on with a domain account in the Schema Admins group. This account
must be used to extend the schema.
By default, the built-in Administrator account in the forest root domain is part of
the Schema Admins group. For more information, see the section "Granting
access rights to make schema changes" in "How the Active Directory Schema
Works" (http://go.microsoft.com/fwlink/?LinkID=79649).
2. Check that your Windows Server installation enables schema updates.
In Windows Server 2003, Active Directory schema updates are enabled by
default. For more information, including the steps required to enable schema
updates, see article 285172 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=79644).
3. Check that you have access to the domain controller that is the schema
operations master in the Active Directory forest. Schema updates can only be
performed at the schema operations master.
4. Review BitLockerTPMSchemaExtension.ldf, the LDIF file containing the
schema extension.
For background information about changes made by the schema extension, see
Background earlier in this document.
For reference information about schema extensions, see "How the Active
Directory Schema Works" (http://go.microsoft.com/fwlink/?LinkId=79649).
5. Use the Lidfde command-line tool to extend the schema on the domain
controller that serves as the schema operations master. For example, to import
the schema extension on a domain named nttest.microsoft.com, log on as a user
in the Schema Admins group, and then type the following at a command prompt:
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X"
"DC=nttest,dc=microsoft,dc=com" -k -j .
This command should be entered as one line, although it is displayed on multiple
lines for readability in this document. The trailing period (".") is part of the
command.
The use of -k suppresses "Object Already Exists" errors if the portions of the
schema already exist. The use of -j . saves an extended log file to the current
working directory.
For more information about Lidfde parameters, see article 237677 in the Microsoft
Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79650). Sample output from
running this command is included in Appendix B: Sample Ldifde output later in this
document.
11
This script adds a single ACE to the top-level domain object. The ACE is an inheritable
permission that allows SELF (the computer itself) to write to the ms-TPM-
OwnerInformation attribute for Computer objects in the domain.
For additional reference information, see "Using Scripts to Manage Active Directory
Security" (http://go.microsoft.com/fwlink/?LinkId=79652).
The sample script provided operates under the following assumptions:
• You have domain administrator privileges to set permissions for the top-level
domain object.
• Your target domain is the same as the domain for the user account running the
script.
For example, running the script as TESTDOMAIN\admin will extend permissions for
TESTDOMAIN. You might need to modify the sample script if you want to set
permissions for multiple domains, but do not have domain administrator accounts for
each of those domains. Find the variable strPathToDomain in the script and modify it
for your target domain, for example:
"LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com"
• Your domain is configured so that permissions inherit from the top-level domain
object to targeted Computer objects.
Permissions will not go into effect if any container in the hierarchy does not allow
inherited permissions from the parent. By default, inheritance of permissions is set by
12
Active Directory. If you are not sure whether your configuration differs from this
default, you can continue with the setup steps to set the permission. You can then
verify your configuration as described later in this document, or by clicking the
Effective Permissions button while viewing the properties of a Computer object to
check that SELF can write the msTPM-OwnerInformation attribute.
Note
We recommend that you keep the default options when you enable each Group
Policy setting. Be sure to read the Explain text before making any changes
To enable the local policy settings to back up BitLocker and TPM recovery
information to Active Directory
1. Log on to the computer as an administrator.
2. Click Start, type the following in the Start Search box, and then click
ENTER:
gpedit.msc
3. To enable Group Policy settings to back up BitLocker recovery information to
Active Directory:
a. Open Computer Configuration, open Administrative Templates, open
Windows Components, and then open BitLocker Drive Encryption.
b. In the right pane, double-click Turn on BitLocker backup to Active
Directory.
c. Select the Enabled option.
d. Verify that the Require BitLocker backup to AD DS check box is
selected.
4. Enable Group Policy setting to back up TPM recovery information to Active
Directory.
a. Open Computer Configuration, open Administrative Templates, open
System, and then open Trusted Platform Module Services.
13
Important
You should perform additional tests as required to satisfy yourself that everything
is working correctly in your environment; do not assume that this scenario will
completely test all aspects of your configuration.
Test scenarios can also vary based on your organization's policies. For example, in
organizations where users are the Creator Owner of Computer objects they join to the
domain, it might be possible for these users to read the TPM owner information for their
own Computer objects.
> AceFlags: 10
> AceType: 5
> Flags: 3
> AccessMask: 32
Note
To open an elevated command prompt window, right-click a command
prompt shortcut, and then click Run as Administrator.
10. At the command prompt type the following:
cscript Get-TPMOwnerInfo.vbs
Expected Output: The error “Active Directory: The directory property cannot
be found in the cache. “ No information is displayed because a non-domain
administrator should not be able to read the ms-TPM-OwnerInformation attribute.
Note
If users are the Creator Owner of Computer objects they join to the
domain, it might be possible for these users to read the TPM owner
information for their own Computer objects.
11. Log on as a domain administrator on the same client computer.
12. Using this domain administrator account, open an elevated command prompt
window, and change to the directory in which you have saved a copy of the
sample scripts provided with this document.
13. At the command prompt type the following:
cscript Get-TPMOwnerInfo.vbs
Expected Output: A string that is the hash of the password you created earlier.
As a domain administrator, you should have Read access to the ms-TPM-
OwnerInformation attribute.
14. At the elevated command prompt, type the following to create a recovery
password:
manage-bde -protectors -add -RecoveryPassword C:
Expected Output: The action will succeed without an error message.
15. At the command prompt type the following to read all BitLocker child objects
of the client computer’s Active Directory object:
cscript Get-BitLockerRecoveryInfo.vbs
16
Important
Domain controllers running Windows 2000 Server or the initial release of
Windows Server 2003 are not supported for backing up BitLocker and TPM
recovery information.
Script errors
You might receive an error when you run a script. The following sections explain the
causes of and solutions for the most frequent script errors.
Get-TPMOwnerInfo.vbs
When running Get-TPMOwnerInfo.vbs, if an error appears stating "Active Directory: The
directory property cannot be found in the cache," you do not have permission to read the
TPM owner information attribute object in Active Directory.
General
If an error appears stating "The specified domain either does not exist or could not be
contacted,” ensure that the computer is joined to the domain and that network
connectivity is available.
If an error appears stating "There is no such object on the server," check that any
computer specified by name on the command line is currently connected to the network.
17
Errors are accompanied by the line number in which the error occurred. Consult the script
source code to assist in troubleshooting the issue.
Note
Once recovery information is transmitted, Active Directory does not store the
BitLocker and TPM recovery information in an encrypted format. However,
access control permissions are set so that only domain administrators or
appropriate delegates can read the stored information when the server is online.
Enterprises concerned about offline attacks on branch office servers should
consider enabling BitLocker on those servers, once they are upgraded to
Windows Server "Longhorn".
Note
This snap-in is in Windows Support Tools. To download the Windows
Support Tools for Windows Server 2003 with Service Pack 1, see
http://go.microsoft.com/fwlink/?LinkID=70775.
3. Open the Schema container, and then open the folder containing available
schema objects (see the following figure).
4. Find by name the following schema objects:
• CN= ms-FVE-KeyPackage – attributeSchema object
• CN=ms-FVE-RecoveryGuid – attributeSchema object
• CN=ms-FVE-RecoveryInformation – classSchema object
• CN=ms-FVE-RecoveryPassword – attributeSchema object
• CN=ms-FVE-VolumeGuid – attributeSchema object
• CN=ms-TPM-OwnerInformation – attributeSchema object
The following screen image represents a typical search for schema objects:
20
Note
Your on-screen display might differ due to line wrapping required to display or
print this output.
Sample Output
D:\ad>ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X"
"DC=black,DC=nttest,dc=corp,dc=microsoft,dc=com" -k -j .
Connecting to "x-hp-test-serve.black.nttest.corp.microsoft.com"
Loading entries
21
1: CN=ms-TPM-
OwnerInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com
2: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com
3: CN=ms-FVE-
RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com
4: (null)
5: CN=ms-FVE-
RecoveryInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=micro
soft,dc=com
6:
CN=computer,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc=
com
7: (null)
8: CN=ms-FVE-
VolumeGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc=c
om
10: (null)
11: CN=ms-FVE-
RecoveryInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=micro
soft,dc=com
12: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com
13: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com
14: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com
15: CN=ms-FVE-
RecoveryGuid,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsoft,dc
=com
16: CN=ms-FVE-
RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com
23
Entry modified successfully.
17: CN=ms-FVE-
RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com
18: CN=ms-FVE-
RecoveryPassword,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com
19: CN=ms-TPM-
OwnerInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com
20: CN=ms-TPM-
OwnerInformation,CN=Schema,CN=Configuration,DC=black,DC=nttest,dc=corp,dc=microsof
t,dc=com
Appendix D:
BitLockerTPMSchemaExtension.ldf
File Contents
The following is the contents of the BitLockerTPMSchemaExtension.ldf file, which can be
used to extend the Active Directory schema from Windows Server 2003 with SP1 to
support backing up recovery information for BitLocker and the TPM owner password in
Active Directory.
To use this file to extend the schema, you should be familiar with the Ldifde command,
which must be run on the domain controller holding the schema operations master role
for the forest.
Note
To download this file, see http://go.microsoft.com/fwlink/?LinkId=78953.
File contents
Note
Some lines might appear split into multiple lines for display or printing.
#=====================================================================
#
# Active Directory Domain Services schema extension for
# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
#
# This file contains attributes and class objects that enable
# Windows Server 2003 SP1 and Windows Server 2003 R2 domain controllers
# to store BitLocker and TPM recovery information.
#
# Change History:
# 11/2005 - Schema additions for Vista Beta 2 (matches "Longhorn" Server Beta 2)
# 5/2006 - Schema additions and updates for Vista RC1 (matches "Longhorn"
Server Beta 3)
#
# NOTE: A schema extension is not necessary if the forest includes an installation
# of Windows Server Codename "Longhorn".
#
# To extend the schema, use the LDIFDE tool on the schema master of the forest.
26
#
# Sample command:
# ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X"
"DC=nttest,dc=microsoft,dc=com" -k -j .
#
# For more information on LDIFDE tool, see
# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677
#
# See related guide for setting up Active Directory Domain Services
# for BitLocker and TPM recovery.
#
#=====================================================================
#=====================================================================
# [Vista Beta 2 and up] TPM Recovery Information - Attributes
#=====================================================================
#
# ms-TPM-OwnerInformation
#
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msTPM-OwnerInformation
adminDisplayName: TPM-OwnerInformation
adminDescription: This attribute contains the owner information of a particular
TPM.
attributeId: 1.2.840.113556.1.4.1966
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 136
schemaIdGuid:: bRpOqg1VBU6MNUr8uRep/g==
showInAdvancedViewOnly: TRUE
#======================================================================
# [Vista Beta 2 and up] Bitlocker Recovery Information - Attributes
# NOTE: FVE is the acronym for Full Volume Encryption, a pre-release name
#=====================================================================
#
# ms-FVE-RecoveryGuid
#
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryGuid
adminDisplayName: FVE-RecoveryGuid
adminDescription: This attribute contains the GUID associated with a Full Volume
Encryption (FVE) recovery password.
27
attributeID: 1.2.840.113556.1.4.1965
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 137
schemaIdGuid:: vAlp93jmoEews/hqAETAbQ==
showInAdvancedViewOnly: TRUE
#
# ms-FVE-RecoveryPassword
#
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryPassword
adminDisplayName: FVE-RecoveryPassword
adminDescription: This attribute contains the password required to recover a Full
Volume Encryption (FVE) volume.
attributeId: 1.2.840.113556.1.4.1964
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 136
schemaIdGuid:: wRoGQ63IzEy3hSv6wg/GCg==
showInAdvancedViewOnly: TRUE
#=====================================================================
# [Vista Beta 2 and up] Attributes - Schema Update
#======================================================================
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#=====================================================================
# [Vista Beta 2 and up] BitLocker Recovery Information - Class
#=====================================================================
#
# ms-FVE-RecoveryInformation
#
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msFVE-RecoveryInformation
adminDisplayName: FVE-RecoveryInformation
adminDescription: This class contains a Full Volume Encryption recovery password
with its associated GUID.
28
governsID: 1.2.840.113556.1.5.253
objectClassCategory: 1
subClassOf: top
systemMustContain: msFVE-RecoveryGuid
systemMustContain: msFVE-RecoveryPassword
systemPossSuperiors: computer
schemaIdGUID:: MF1x6lOP0EC9HmEJGG14LA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
defaultHidingValue: TRUE
defaultObjectCategory: CN=ms-FVE-
RecoveryInformation,CN=Schema,CN=Configuration,DC=X
#=====================================================================
# [Vista Beta 2 and up] Classes - Schema Update
#=====================================================================
dn: CN=computer,CN=Schema,CN=Configuration,DC=X
#changetype: ntdsSchemaModify
changetype: modify
add: mayContain
mayContain: msTPM-OwnerInformation
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#=====================================================================
# [Vista RC1 and up] Bitlocker Recovery Information - Additional Attributes
#=====================================================================
#
# ms-FVE-VolumeGuid
#
dn: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-VolumeGuid
adminDisplayName: FVE-VolumeGuid
adminDescription: This attribute contains the GUID associated with a BitLocker-
supported disk volume. Full Volume Encryption (FVE) was the pre-release name for
BitLocker Drive Encryption.
attributeID: 1.2.840.113556.1.4.1998
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 27
schemaIdGuid:: z6Xlhe7cdUCc/aydtqLyRQ==
29
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
rangeUpper: 128
#
# ms-FVE-KeyPackage
#
dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-KeyPackage
adminDisplayName: FVE-KeyPackage
adminDescription: This attribute contains a volume's BitLocker encryption key
secured by the corresponding recovery password. Full Volume Encryption (FVE) was
the pre-release name for BitLocker Drive Encryption.
attributeId: 1.2.840.113556.1.4.1999
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 152
schemaIdGuid:: qF7VH6eI3EeBKQ2qlxhqVA==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: FALSE
rangeUpper: 102400
#=====================================================================
# [Vista RC1 and up] Additional Attributes - Schema Update
#=====================================================================
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#=====================================================================
# [Vista RC1 and up] Updates to BitLocker Recovery Information Class
#======================================================================
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This class contains BitLocker recovery information including
GUIDs, recovery passwords, and keys. Full Volume Encryption (FVE) was the pre-
release name for BitLocker Drive Encryption.
-
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: mayContain
mayContain: msFVE-VolumeGuid
mayContain: msFVE-KeyPackage
30
-
#=====================================================================
# [Vista RC1 and up] Updates to pre-RC1 Attributes
#=====================================================================
#
# Updates to ms-TPM-OwnerInformation
#
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 152
-
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 128
-
#
# Updates to ms-FVE-RecoveryGuid
#
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This attribute contains the GUID associated with a BitLocker
recovery password. Full Volume Encryption (FVE) was the pre-release name for
BitLocker Drive Encryption.
-
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 27
-
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 128
-
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
31
#
# Updates to ms-FVE-RecoveryPassword
#
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This attribute contains a password that can recover a BitLocker-
encrypted volume. Full Volume Encryption (FVE) was the pre-release name for
BitLocker Drive Encryption.
-
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 152
-
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 256
-
#
# Reload the schema cache to pick up updated attributes
#
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Appendix E: Add-TPMSelfWriteACE.vbs
File Contents
The following is the contents of the Add-TPMSelfWriteACE.vbs file, which can be used to
add the required access control entry to allow nextref_vista clients to back up the TPM
owner password recovery information in Active Directory.
Note
To download this file, see http://go.microsoft.com/fwlink/?LinkId=78953.
32
File contents
'===============================================================================
'
' This script demonstrates the addition of an Access Control Entry (ACE)
' to allow computers to write Trusted Platform Module (TPM)
' recovery information to Active Directory.
'
' This script creates a SELF ACE on the top-level domain object, and
' assumes that inheritance of ACL's from the top-level domain object to
' down-level computer objects are enabled.
'
' Reference: "Using Scripts to Manage Active Directory Security"
' http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx
' and MSDN documentation.
'
' Last Updated: August 2006
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support
program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without
limitation,
' any implied warranties of merchantability or of fitness for a particular
purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for
loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
'===============================================================================
' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants
' --------------------------------------------------------------------------------
' --------------------------------------------------------------------------------
' TPM and FVE schema object GUID's
' --------------------------------------------------------------------------------
' --------------------------------------------------------------------------------
' Set up the ACE to allow write of TPM owner information
' --------------------------------------------------------------------------------
objAce1.Trustee = "SELF"
objAce1.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objAce1.ObjectType = SCHEMA_GUID_MS_TPM_OWNERINFORMATION
objAce1.InheritedObjectType = SCHEMA_GUID_COMPUTER
' --------------------------------------------------------------------------------
34
' NOTE: BY default, the "SELF" computer account can create
' BitLocker recovery information objects and write BitLocker recovery properties
'
' No additional ACE's are needed.
' --------------------------------------------------------------------------------
' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------
' --------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
' --------------------------------------------------------------------------------
objDacl.AddAce objAce1
objDescriptor.DiscretionaryAcl = objDacl
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo
WScript.Echo "SUCCESS!"
Note
To download these files, see http://go.microsoft.com/fwlink/?LinkId=78953.
List-ACEs.vbs
This script lists or removes the access control entries (ACEs) configured on BitLocker
and TPM schema objects for the top-level domain. You can use this script to ensure that
the expected ACEs have been added appropriately or to remove any ACEs related to
BitLocker or the TPM.
Note
On a completed configuration without any delegation of permissions, there
should be only one ACE related to the TPM.
File contents
'===============================================================================
'
' This script lists the access control entries (ACE's) configured on
' Trusted Platform Module (TPM) and BitLocker Drive Encryption (BDE) schema
objects
' for the top-level domain.
'
' Use this script to check that the correct permissions have been set.
' Also use this script to remove TPM and BitLocker ACE's from the top-level
domain.
'
' Reference: "Using Scripts to Manage Active Directory Security"
' http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx
' and MSDN documentation.
'
' Last Updated: 1/30/2006
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support
program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without
limitation,
' any implied warranties of merchantability or of fitness for a particular
purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for
loss
36
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
'===============================================================================
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
Wscript.Echo "USAGE: List-ACEs"
Wscript.Echo "List access permissions for BitLocker and TPM schema objects"
Wscript.Echo ""
Wscript.Echo "USAGE: List-ACEs -remove"
Wscript.Echo "Removes access permissions for BitLocker and TPM schema objects"
WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Case 0
' do nothing - checks for ACE's
removeACE = False
Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
If UCase(args(0)) = "-REMOVE" Then
removeACE = True
End If
End If
Case Else
ShowUsage
End Select
' --------------------------------------------------------------------------------
' Configuration of the filter to show/remove only ACE's for BDE and TPM objects
' --------------------------------------------------------------------------------
' Use this filter to list/remove only ACEs related to TPM and BitLocker
aceGuidFilter = Array(SCHEMA_GUID_MS_TPM_OWNERINFORMATION, _
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION)
' --------------------------------------------------------------------------------
' Helper functions related to the list filter for listing or removing ACE's
' --------------------------------------------------------------------------------
Function IsFilterActive()
End Function
Function isAceWithinFilter(ace)
End Function
Sub displayFilter
For Each guid In aceGuidFilter
WScript.echo guid
Next
End Sub
' --------------------------------------------------------------------------------
38
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------
' --------------------------------------------------------------------------------
' Show Access Control Entries (ACE's)
' --------------------------------------------------------------------------------
' Loop through the existing ACEs, including all ACEs if the filter is not active
end if
End If
i = i + 1
Next
Else
i = i - 1
WScript.echo i & " total ACE(s) found in " & domain.Get("distinguishedName")
End If
' --------------------------------------------------------------------------------
' Optionally remove ACE's on a filtered list
' --------------------------------------------------------------------------------
descriptor.DiscretionaryAcl = dacl
domain.Put "ntSecurityDescriptor", Array(descriptor)
domain.setInfo
else
WScript.echo "You must specify a filter to remove ACEs from " &
domain.Get("distinguishedName")
40
end if
end if
Get-TPMOwnerInfo.vbs
This script demonstrates the retrieval of TPM recovery information from Active Directory
for a particular computer. You can use this script to test that only domain administrators
(or delegated roles) can read backed up TPM recovery information, and that the
information is being backed up correctly.
File contents
'=================================================================================
'
' This script demonstrates the retrieval of Trusted Platform Module (TPM)
' recovery information from Active Directory for a particular computer.
'
' It returns the TPM owner information stored as an attribute of a
' computer object.
'
' Change History:
' 1/30/2006 - Initial release
' 5/15/2006 - Updated GetStrPathToComputer to search the global catalog.
'
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support
program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without
limitation,
' any implied warranties of merchantability or of fitness for a particular
purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for
loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
'=================================================================================
41
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]"
Wscript.Echo "If no computer name is specified, the local computer is assumed."
WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Case 0
' Get the name of the local computer
Set objNetwork = CreateObject("WScript.Network")
strComputerName = objNetwork.ComputerName
Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strComputerName = args(0)
End If
Case Else
ShowUsage
End Select
' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------
Function GetStrPathToComputer(strComputerName)
' Uses the global catalog to find the computer in the forest
' Search also includes deleted computers in the tombstone
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 100
objCommand.Properties("Cache Results") = False
Do Until objRecordSet.EOF
dnFound = objRecordSet.Fields("distinguishedName")
GetStrPathToComputer = "LDAP://" & dnFound
objRecordSet.MoveNext
Loop
End Function
' --------------------------------------------------------------------------------
' Securely access the Active Directory computer object using Kerberos
' --------------------------------------------------------------------------------
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
43
' --------------------------------------------------------------------------------
' Get the TPM owner information from the Active Directory computer object
' --------------------------------------------------------------------------------
strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
Get-BitLockerRecoveryInfo.vbs
This script demonstrates the retrieval of all BitLocker recovery information from Active
Directory for a particular computer. You can use this script to ensure that only domain
administrators (or delegated roles) can read the BitLocker recovery information backed
up in Active Directory and that it has been backed up correctly.
File contents
'===============================================================================
'
' This script demonstrates the retrieval of BitLocker Drive Encryption (BDE)
' recovery information from Active Directory for a particular computer.
'
' It returns all recovery passwords and associated GUIDs for a particular
' computer object.
'
' Change History:
' 1/30/2006 - Initial release
' 5/15/2006 - Added ConvertOctetGuidToHexString to remove dependency to ADs.DLL
' and converted GUID to correct byte order before printing.
' - Updated GetStrPathToComputer to search the global catalog.
'
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support
program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without
limitation,
' any implied warranties of merchantability or of fitness for a particular
purpose.
' The entire risk arising out of the use or performance of the sample scripts and
44
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for
loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
'===============================================================================
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
Wscript.Echo "USAGE: Get-BitLockerRecoveryInfo [Optional Computer Name]"
Wscript.Echo "If no computer name is specified, the local computer is assumed."
WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Case 0
' Get the name of the local computer
Set objNetwork = CreateObject("WScript.Network")
strComputerName = objNetwork.ComputerName
Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strComputerName = args(0)
End If
Case Else
ShowUsage
End Select
' --------------------------------------------------------------------------------
' Helper function: Convert the octet GUID string (byte array) to a hex string
' --------------------------------------------------------------------------------
'Reference: http://blogs.msdn.com/ericlippert/archive/2004/05/25/141525.aspx
45
Function HexByte(b)
HexByte = Right("0" & Hex(b), 2)
End Function
Function ConvertOctetGuidToHexString(ByteArray)
Dim Binary, S
Binary = CStr(ByteArray)
S = "{"
S = S & HexByte(AscB(MidB(Binary, 4, 1)))
S = S & HexByte(AscB(MidB(Binary, 3, 1)))
S = S & HexByte(AscB(MidB(Binary, 2, 1)))
S = S & HexByte(AscB(MidB(Binary, 1, 1)))
S = S & "-"
S = S & HexByte(AscB(MidB(Binary, 6, 1)))
S = S & HexByte(AscB(MidB(Binary, 5, 1)))
S = S & "-"
S = S & HexByte(AscB(MidB(Binary, 8, 1)))
S = S & HexByte(AscB(MidB(Binary, 7, 1)))
S = S & "-"
S = S & HexByte(AscB(MidB(Binary, 9, 1)))
S = S & HexByte(AscB(MidB(Binary, 10, 1)))
S = S & "-"
S = S & HexByte(AscB(MidB(Binary, 11, 1)))
S = S & HexByte(AscB(MidB(Binary, 12, 1)))
S = S & HexByte(AscB(MidB(Binary, 13, 1)))
S = S & HexByte(AscB(MidB(Binary, 14, 1)))
S = S & HexByte(AscB(MidB(Binary, 15, 1)))
S = S & HexByte(AscB(MidB(Binary, 16, 1)))
S = S & "}"
On Error GoTo 0
ConvertOctetGuidToHexString = S
End Function
' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------
Function GetStrPathToComputer(strComputerName)
' Uses the global catalog to find the computer in the forest
' Search also includes deleted computers in the tombstone
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 100
objCommand.Properties("Cache Results") = False
Do Until objRecordSet.EOF
dnFound = objRecordSet.Fields("distinguishedName")
GetStrPathToComputer = "LDAP://" & dnFound
objRecordSet.MoveNext
Loop
End Function
' --------------------------------------------------------------------------------
' Securely access the Active Directory computer object using Kerberos
' --------------------------------------------------------------------------------
' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' --------------------------------------------------------------------------------
' Get all the recovery information child objects of the computer object
objFveInfos.Filter = Array("msFVE-RecoveryInformation")
strName = objFveInfo.Get("name")
strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid")
strRecoveryGuid = ConvertOctetGuidToHexString(strRecoveryGuidOctet)
strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
WScript.echo
WScript.echo "name: " + strName
WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
WScript.echo "msFVE-RecoveryPassword: " + strRecoveryPassword
Next
WScript.Quit