Finally, a management tool for Bitlocker

I first deployed Bitlocker and AD integration with Windows 7 Enterprise back before it was publicly released (that gap between when it gets released to Volume Licence customers, but not to the public). It wasn’t easy, and I had to use some interesting hacks and self-discovered cludges gleaned from old Vista documentation, as the Win 7 documentation hadn’t been released by Microsoft at the time. I had meant to document and release it as a quick-fix blog entry but the time passed and everything can be done properly now.

Since deployment, Bitlocker has been fantastic. The only issue we’ve had with Bitlocker since we deployed it is that of ensuring that end-users don’t suspend it or disable it, and that we most definitely have a good backup of the recovery key.

Effectively, without a management tool, you fly a bit blind until a problem comes up, or a Bitlockered laptop ends up in your lap with it disabled. Ignorance shouldn’t be bliss when it comes to full disk encryption and protecting your company’s data.

The AD backup of keys is a particular pain, as we’ve found that sometimes, Bitlocker just forgets to back itself up to AD when it’s enabled. To mitigate this, we’ve just instructed Bitlocker to also copy the key to a secure fileshare when it’s enabled during the MDT task, as well as backing it up to AD.

Fortunately, Microsoft have started to build a Bitlocker management tool called Microsoft Bitlocker Administration and Management. You can read more about it on the Windows Team Blog.

It’s still in Beta, but I’m looking forward to trying this out!

Win7 + Bitlocker = Can’t Shutdown?

If you have Windows 7 with Bitlocker enabled, and are sometimes unable to shutdown your PC properly, check out this article:

The hotfix is available here:

Symptoms for us were that Windows 7 itself would shut down, but the power would not be switched off from the laptop, leaving it running (often with the fans whizzing away and LEDs on)

Can’t install BitLocker Recovery Password Viewer on Server 2008 SP2?

If you can’t install the “BitLocker Recovery Password Viewer for Active Directory Users and Computers tool” on Server 2008, it’s probably because you’re running SP2. Sigh.

When you try to run the Windows6.0-KB928202-x64.msu or Windows6.0-KB928202-x86.msu file you’ll get the error message:

“The update does not apply to your system”

This is because it doesn’t seem to support Server 2008 with SP2.

Full details here

Oh, and sorry for the lack of posts. Life’s a bitch ain’t it 😉