Information Technology Reference
In-Depth Information
and restore
It is important that you enable EFS and BitLocker recovery procedures for all encrypted data
and volumes. Without a full backup of recovery information, vital information might be
unavailable in an emergency. This recovery information is sensitive, however, and should be
stored in secure locations and not be readily available except in an emergency. And in all
cases, it should never be in the same location as the item it is protecting. (Printing out your
BitLocker recovery key and then taping it to the back of your laptop is a really, really bad
idea.)
enabling aD DS storage of BitLocker recovery keys
You can enable the storage of BitLocker recovery keys in AD DS by enabling the GPO set-
tings. There are three settings that control recovery key saving for Windows Server 2008 R2,
Windows 7, Windows Server 2012, Windows 8, Windows Server 2012 R2, and Windows 8.1.
These settings, which are in the Computer Configuration\Policies\Administrative Templates\
Windows Components\BitLocker Drive Encryption folder, are these:
■
Choose How BitLocker-Protected Fixed Data Drives Can Be Recovered
■
Choose How BitLocker-Protected Operating System Drives Can Be Recovered
■
Choose How BitLocker-Protected Removable Drives Can Be Recovered
EXAM TIP
When you enable BitLocker policies, create them on the policy that applies to the computer
on which you're enabling BitLocker. While you can use the Default Domain policy for
BitLocker policies, that doesn't allow you to save the recovery passwords for your BitLocker
protected domain controllers.
When one of these policies is set to Enabled, you have additional options (see Figure 2-34),
including the following:
■
Allow Or Require 48-Digit Recovery Password
■
Allow Or Require 256-Bit Recovery Password
■
Save BitLocker Recovery Information To AD DS
■
Backup Recovery Passwords And Key Packages
