I read the BitLocker Drive Encryption: Technical Overview from MS web http://www.microsoft.com/technet/windowsvista/security/bittech.mspx In section 4.2.3 Enterprise Deployment BitLocker supports scripting and easy integration with Active Directory and Group Policy technologies. In enterprise deployments, the IT administrator follows the following steps: 1. Prepare Active Directory for BitLocker (TPM and recovery) keys by going through the following: Keys used by BitLocker may be stored in Active Directory (both TPM keys and/or recovery keys). Extend schema with TPM and BitLocker attributes and objects. (does not apply to Windows Server "Longhorn"). Set permissions on the TPM and BitLocker recovery information schema objects Locate the script containing the schema extension, named Add-WriteACEs.vbs. The script assumes that inheritance of permissions from the top-level domain object to the targeted computer objects is set. If any container in the hierarchy does not allow inherited permissions from the parent to take effect, permissions will not be set as needed. Run script Add-WriteACEs.vbs at the command prompt. I have some questions about these information 1. Can I use windows server 2003 to backup client BitLokcer Recovery key? 2."Extend schema with TPM and BitLocker attributes and objects", what 's mean ?Howshuld I do? 3. Where can I find Add-WriteACEs.vbs ? I can not find it in windowsserver 2003? Could anyone reply me ? Thank you very much! :)

On 1:Yes, you can backup the recovery information as properties of the AD computer object. On 2:The necessary schema extensions for Vista appear to be located on the Vista DVD under <Drive>:\sources\adprep. You will need Enterprise Admin rights to extend the schema. Just run: adprep /forestprep then: adprep /domainprep and:adprep /domainprep /gpprep On 3:I wish I knew the answer to that. I am looking for that script myself. I did send feeback on the Technical Overview page that you reference, but I have not recieved an answer as of yet. I suspect the script does not exist yet. For what it is worth, both the AD schema and permissions changes that are required for BitLocker key escrow are documented in the "Optimizing Client Security by Using Windows Vista" guide, available from the Microsoft downloads site:http://www.microsoft.com/downloads/details.aspx?FamilyID=6e997c28-9fb2-4119-b405-c6e898f85c0c&DisplayLang=en I have tried performing these ACL changes manually, but have not yet been successful in performing a TPM password or BitLocker recovery key backup. I am considering opening an incident with MS to figure this out.

Hi, According to the information I've heard from Microsoft, you should NOT use adprep on Vista DVD! It's there for informational purposes only. Information and tools for extending the schema for Bitlocker recovery keys should become available soon - when it's ready. HTHMika

The information is finally available: http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&displaylang=en.I wrote abit more info on http://msmvps.com/blogs/mika/archive/2007/01/12/guide-for-configuring-ad-to-back-up-bitlocker-and-tpm-recovery-information.aspx.