We are using SCCM 2007 to deploy Windows 7 Enterprise, and we currently have bitlocker enabled in the task sequence that is used to deploy windows 7. We have basic GPO configured for bitlocker and have schema extensions completed as per the bitlocker deployment guide. We have computers encypted with bitlocker and have set PIN's and it is all working. It seems that by default only Domain Admins are able to view the recovery information in AD by default. How are we able to control this via normal AD permissions? We just want to grant access to users in a security group to view bitlocker recovery information for all computers in the domain. I see a article about delegating access, but it seems very complex, is there a simple way to do this? We are also wondering how we can set a custom message to appear at the bitlocker boot screen, where users enter their PIN. Hopefully there is a simple way to set this, in group policy perhaps? Also in terms of Bitlocker management, we would like to be able to easily view which computers are encrypted and generate some basic compliance reports about them. I see there is a Microsoft BitLocker Administration and Monitoring tool that might be able to do this. I'm wondering if we install this tool and then just use it for compliance, without needing to make too many changes to our bitlocker configured, which is basically already setup?

Thanks, I have review the MBAM documentation. It requires more setup that I was thinking, looks like putting the components on 3 servers is the recommended way to do it. As far as you know is deploying MBAM the only possible way to add a custom message on the Bitlocker bootup screen? In terms of access to the recovery key data, there does seem to be some type of permissions issues with viewing the data on the recovery tab. Users that are Domain Admin's are able to see the tab and the data, but when AD is run by our helpdesk staff's user accounts on the same pc with RSAT and bitlocker viewer feature installed, they can view the tab, but not the actual recovery data. Tired this with a few DA's and helpdesk staff, on PCs where both were installed, and all the DA's can view it but regular staff can't. I see MBAM created security groups to manage this by default which is perfect, but at this point were not sure if we will deploy MBAM, so still wondering if theres a way to delegate permission to view the password recovery data beyond just domain admins.