Hi all,
Is it possible to have UCS AD handle the bitlocker keys of the clients like Windows Server does?
Samba4 should be able to do this, but I can’t find the fields in the LDAP Schema in UCS.
Any ideas?
Best
Sebastian
1 Like
Hi,
I must admit that I am not familiar with this aspect of administration.
My first problem is to figure out how this should work in a pure Windows environment with versions that are still supported. There are apparently many changes during the last years. And I really dont understand fully what articles like https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises are trying to communicate. At first glance it looks like that SCCM is needed.
I found a 5 year old post (https://kidcartouche.blogspot.com/2013/03/bitlocker-drive-encryption-and-samba4.html) with initial informations. The mentioned schema definition BitLockerTPMSchemaExtension.ldf appears to be unavaible now, at least from the original sources.
There are traces in https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/cc766251(v=ws.10) mentioning certain attributes. Using RSAT on a Windows machine joined to an UCS based environment I could find at least the msTPM-Ownerinformation attribute. My Windows 2016 based lab show this too but also msTPM-TpmInformationforComputer. Attibutes starting with msFVE are missing in both environments. But my Windows lab is only the default AD plus Exchange at this time.
It appears that we should first make clear what “like Windows Server does” means in this context.
Best Regards,
Dirk Ahrnke
Hello maybe this can help?
http://jackstromberg.com/2015/02/tutorial-configuring-bitlocker-to-store-recovery-keys-in-active-directory/
If that could be done in ucs is a plus
AFAIK SCCM is not necessary. At least it wasn’t when we first started using Bitlocker with AD.
We implemented SCCM lateron, but it is really just an advanced schema and a “simple” feature extension in the AD Console to read the stored keys.
Someone might have done this, but I can’t figure out how:
https://lists.samba.org/archive/samba/2015-December/196778.html
Any news regard this matter?
With samba 4.10 is bitlocker schema avaiable
https://dev.tranquil.it/samba/en/samba_advanced_methods/samba_bitlocker_ad.html
1 Like
Hi, news about bitlocker AD in ucs?
1 Like
Any news about this?
Adding this feature would help a lot.
Ah, thank you! It was my mistake, I only activated the “Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)” policy. Of course, this won’t work with Windows 10 & 11, but I thought this was an Univention issue.
The correct Policy is in “Operating System Drives”.
Now, everything works. 