If you have configured your BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives and the Trusted Platform Module (TPM) to Active Directory Domain Services (AD DS) the backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object. Each BitLocker recovery object includes the recovery password and other recovery information. The recovery password is stored in the msFVE-RecoveryInformation attribute and if you have incorporated this process in your environment you have most likely also installed the Bitlocker Recovery Password Viewer for Active Directory so that you can view the recovery password for selected computer objects. If this is the case, you may also have asked your self the following questions:
- I’ve just implemented Bitlocker, but how do I know that the recovery passwords are being populating for all of my computers?
- How can I identify machines that have problems with the Bitlocker process?
- How can I identify which machines do NOT have a recovery password?
You could answer these questions by opening the properties for each of your computer objects and locating the Bitlocker Password Recovery tab. But, as you can imagine this is a very tedious project for a domain with hundreds or even thousands of computers. This is where the AD Bitlocker Password Audit tool comes in.
The AD Bitlocker Password Audit is a free Windows tool for querying your Active Directory for all or selected computer objects and returning their recovery password in a grid-view format giving you a quick overview of the status of your current password recovery capabilities. With the included data filtering functionality you can quickly create detailed results for machines that match your filtering criteria.