We recently added an additional Windows Server 2008 R2 domain controller to our domain and found that the BitLocker tab in the Active Directory Users and Computers snap in was not appearing for the laptops.

In Windows Server 2008 you had to download and install the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool and if it were the first time that this tool had been installed you had to run regsvr32.exe BdeAducExt.dll as an Enterprise Administrator.

This has been simplified in Windows Server 2008 R2:

1. Open Server Manager and click on Features.

2. Click on Add Features and browse to the following location:

             Remote Server Administration Tools –> Feature Administration Tools

3. Tag the option for BitLocker Drive Encryption Administration Utilities

4. Click on Next and then click on Install

5. You should then see that the installation was successful and can click on Close

If you open Active Directory Users and Computers snap in then you should see the BitLocker Recovery tab appear in the computer objects.

Cheers

Paul

After making a hardware, driver, BIOS change or experiencing a blue screen error on a machine with BitLocker enabled, you may be prompted for your recovery key with the following error:

After entering your recovery key and logging in, the next time you perform a reboot you are prompted with the same error.

Solution:

Suspend then Resume BitLocker.

Ensure that you suspend BitLocker before making any hardware, driver, BIOS changes and then resume BitLocker once complete.

After deploying a few new laptops in our organisation I found that sometimes I would loose the GUI notification in the taskbar that would tell me the percentage complete of the encryption of the hard drive.

This command ran in command prompt should give you the status of where the disk is currently at:

manage-bde.exe –status

Cheers

Paul

After configuring your Active Directory domain to store BitLocker and TPM Recovery Keys:

http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx

The following command can be run to configure pre Bit Locked machines to backup their recovery key to AD:

1. Open an administrative command prompt
2. manage-bde -protectors -get C: -type recoverypassword
3. manage-bde -protectors -adbackup C: -id {Insert the numerical ID here}

We came across an issue when attempting to install BitLocker Recovery Password Viewer for Active Directory Users and Computers tool (KB928202) on an Windows Server 2008 Service Pack 2 machine, the following error was received when attempting install the .msu file:

Solution:

Manually expand the .msu file and install using the Package Manager command-line tool:

1. Download the KB928202 .msu file to a folder of your choice (e.g. C:Temporary)

2. Open a command prompt and navigate your folder

3. Expand the .msu file using expand -F:* Windows6.0-KB928202-x86.msu c:temp

4. Then install with pkgmgr /n:.Windows6.0-KB928202-x86.xml

5. Still in CMD, navigate to C:Windows and run regsvr32.exe BdeAducExt.dll as an Enterprise Administrator

The “Find BitLocker Recovery Password…” option should now be available in Active Directory Users and Computers