Store Windows Client Bitlocker Keys in UCS Active Directory

active-directory

#1

Hi all,

Is it possible to have UCS AD handle the bitlocker keys of the clients like Windows Server does?
Samba4 should be able to do this, but I can’t find the fields in the LDAP Schema in UCS.

Any ideas?

Best
Sebastian


#2

Hi,

I must admit that I am not familiar with this aspect of administration.
My first problem is to figure out how this should work in a pure Windows environment with versions that are still supported. There are apparently many changes during the last years. And I really dont understand fully what articles like https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises are trying to communicate. At first glance it looks like that SCCM is needed.

I found a 5 year old post (https://kidcartouche.blogspot.com/2013/03/bitlocker-drive-encryption-and-samba4.html) with initial informations. The mentioned schema definition BitLockerTPMSchemaExtension.ldf appears to be unavaible now, at least from the original sources.

There are traces in https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/cc766251(v=ws.10) mentioning certain attributes. Using RSAT on a Windows machine joined to an UCS based environment I could find at least the msTPM-Ownerinformation attribute. My Windows 2016 based lab show this too but also msTPM-TpmInformationforComputer. Attibutes starting with msFVE are missing in both environments. But my Windows lab is only the default AD plus Exchange at this time.

It appears that we should first make clear what “like Windows Server does” means in this context.

Best Regards,
Dirk Ahrnke


#3

Hello maybe this can help?
http://jackstromberg.com/2015/02/tutorial-configuring-bitlocker-to-store-recovery-keys-in-active-directory/

If that could be done in ucs is a plus


#4

AFAIK SCCM is not necessary. At least it wasn’t when we first started using Bitlocker with AD.
We implemented SCCM lateron, but it is really just an advanced schema and a “simple” feature extension in the AD Console to read the stored keys.
Someone might have done this, but I can’t figure out how:
https://lists.samba.org/archive/samba/2015-December/196778.html