We are using SCCM 2007 to deploy Windows 7 Enterprise, and we currently have bitlocker enabled in the task sequence that is used to deploy windows 7. We have basic GPO configured for bitlocker and have schema extensions completed as per the bitlocker deployment guide. We have computers encypted with bitlocker and have set PIN's and it is all working. It seems that by default only Domain Admins are able to view the recovery information in AD by default. How are we able to control this via normal AD permissions? We just want to grant access to users in a security group to view bitlocker recovery information for all computers in the domain. I see a article about delegating access, but it seems very complex, is there a simple way to do this? We are also wondering how we can set a custom message to appear at the bitlocker boot screen, where users enter their PIN. Hopefully there is a simple way to set this, in group policy perhaps? Also in terms of Bitlocker management, we would like to be able to easily view which computers are encrypted and generate some basic compliance reports about them. I see there is a Microsoft BitLocker Administration and Monitoring tool that might be able to do this. I'm wondering if we install this tool and then just use it for compliance, without needing to make too many changes to our bitlocker configured, which is basically already setup?

It's actually not complex when using the BitLocker MBAM which you mentioned. You add users to the groups on the MBAM server for different access in the BitLocker Web Console itself. As for viewing the BitLocker Recovery info in AD, that is not a permissions issue that is not allowing some to see it. Anybody who needs to see the Bitlocker info in AD will need the RSAT tools installed on their machine with the Bitlocker feature enabled. You can also customize the message which appears through the MBAM Group policy. It's easy to setup. You may need to run a script on all current BitLocker enabled users machines to backup their info if it's not already stored in AD. But other than that it should do everything you need. Report on Compliance, delegate access, allow you to customize the warning etc. I blogged about backing stuff up from machines that have BitLocker already enabled here: http://rorymon.com/blog/index.php/setting-up-mbam-issues-and-fixes/PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

Thanks, I have review the MBAM documentation. It requires more setup that I was thinking, looks like putting the components on 3 servers is the recommended way to do it. As far as you know is deploying MBAM the only possible way to add a custom message on the Bitlocker bootup screen? In terms of access to the recovery key data, there does seem to be some type of permissions issues with viewing the data on the recovery tab. Users that are Domain Admin's are able to see the tab and the data, but when AD is run by our helpdesk staff's user accounts on the same pc with RSAT and bitlocker viewer feature installed, they can view the tab, but not the actual recovery data. Tired this with a few DA's and helpdesk staff, on PCs where both were installed, and all the DA's can view it but regular staff can't. I see MBAM created security groups to manage this by default which is perfect, but at this point were not sure if we will deploy MBAM, so still wondering if theres a way to delegate permission to view the password recovery data beyond just domain admins.

To be honest I have not attempted to customize the message with a manual deployment. I have only done this using the MBAM deployment e.g. MBAM has it's own set of GPO rules you can apply. Just a possibility..because I actually re-imaged my own machine here and don't have RSAT installed at the moment but do the users have Advanced Features enabled within AD? I would think the MBAM setup is a no brainer for you as it checks all the boxes. I have it setup across two machines currently. Application Server and a SQL Server. The SQL setup does require a couple of completely seperate instances.PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

To be honest I have not attempted to customize the message with a manual deployment. I have only done this using the MBAM deployment e.g. MBAM has it's own set of GPO rules you can apply. Just a possibility..because I actually re-imaged my own machine here and don't have RSAT installed at the moment but do the users have Advanced Features enabled within AD? I would think the MBAM setup is a no brainer for you as it checks all the boxes. I have it setup across two machines currently. Application Server and a SQL Server. The SQL setup does require a couple of completely seperate instances.PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

I found this info. http://blogs.technet.com/b/craigf/archive/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information.aspxPLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

I found this info. http://blogs.technet.com/b/craigf/archive/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information.aspxPLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon