BPuhl’s Blog

A little bit of everything without actually being much of anything

Getting your Bitlocker keys out of AD

Posted by BPuhl on October 14, 2010

I often talk about my perspective that AD is a great publishing engine, but that it should not be authoritative for anything.  Any mission critical data should be mastered outside of AD, and then sync’d into the directory to be published/consumed.

The problem with this, is when you have services which source their information in AD directly, but that data is still mission critical.  One example of this, would be BitLocker Drive Encryption recovery keys.  The BDE service on clients will write it’s recovery keys directly into AD.

Before MSIT broadly deployed Bitlocker, we worked with an internal team to build a solution for finding new BDE recovery keys, and copying them out of AD into an external store.  We even went a step further, and put some self-service recovery options in front of that store.

I’m happy to see that MSIT was able to publish this solution out to Codeplex, so we can share it with everyone.

If you’ve got Bitlocker deployed in your environment, but are ONLY storing the recovery keys in AD – you may want to take a look.

http://keyrecoverytool.codeplex.com/

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: