Category Archives: Bitlocker

Access Denied Error 0×80070005 message when initializing TPM for Bitlocker

Posted on by
1

When you try to turn on Bitlocker on 7 Operating System Drive, you may get the Access Denied Error message while initializing TPM.

image

Additionally, when you open the TPM Management Console and you try to initialize TPM you get error message 0×80070005.

image

Solution:

To set correct permissions, follow the instruction below:

1. Open Users and Computers.

2. Select the OU where you have all computers which will have Bitlocker turned ON.

3. Right Click on the OU and click Delegate Control.

image

4. Click Next and then click Add.

image

image

5. Type SELF as the Object Name.

image

6. Select create a custom task to delegate.

image

7. From the object in the folder, select Computer Objects.

image

8. Under show these permissions, select all 3 checkbox.

image

9. Scroll down in permissions and select the attribute Write msTPM-OwnerInformation.

image

10. Click Finish.
image

After you have done the above steps, you should be able to initialize TPM successfully.

It worked for me!!!

SOURCE

Post to Twitter

BitLocker Active Directory Recovery Password Viewer on Windows Server 2008 R2

Posted on by
2

You can find BitLocker Password Recovery tool on Server under Features. You can install the tool by opening Server Manager and under »Add Features« look for »Remote Server Administration « »Feature Administration «. Here select »BitLocker Diver Encryption Administration Utilities« and follow the wizard.

Once install process completes you can open Users and Computers and right click on domain level. You should now see »Find BitLocker Recovery Password…«

Post to Twitter

BitLocker to Go & Save the Recovery key in Active Directory

Posted on by
Reply

Before you start wit Bitlocker to Go your domain controllers must be . You must upgrade your Schema.

After done that I made a group policy named Bitlocker to Go.
You can find the Bitlocker Policy under: Computer Configuration | Policies | Administrative Templates: Policy Definitions | Components | BitLocker Drive Encryption | Removable Data Drives.

I enabled the following policies:

Choose How BitLocker Removable Drives Can Be Recovered

image

At first you must select the Allow Agent option. This option should be selected by default, but since this option is what makes the entire key recovery process possible, it is important to verify that the option is enabled.

Next, you will enable the Omit Recovery Option From The BitLocker Setup Wizard option. This prevents users from saving or printing their own copies of the recovery key.

Next, you will have to select the Save BitLocker Recovery Information to AD DS for Removable Data Drives. This is the option that actually saves the BitLocker recovery keys to the .

Finally, you should select the Do Not Enable BitLocker Until Recovery Information Is Stored To AD DS For Removable Data Drives option. This option forces Windows to confirm that the recovery has been written to the Active Directory before BitLocker is allowed to encrypt the drive. That way, you do not have to worry about a power failure wiping out the recovery key half way through the encryption process.

Windows SP2 & SP3 can only read the bitlocker usb stick.

Post to Twitter