1
00:00:01,040 --> 00:00:05,610
So specifically, what do we mean by AD BitLocker Key Recovery?

2
00:00:05,610 --> 00:00:07,260
This is an option.

3
00:00:07,260 --> 00:00:09,770
It's not enabled by default in your domain.

4
00:00:09,770 --> 00:00:13,950
It's an option to store your server and potentially your client Windows

5
00:00:13,950 --> 00:00:18,270
devices recovery key information in Active Directory directly,

6
00:00:18,270 --> 00:00:19,440
you see.

7
00:00:19,440 --> 00:00:20,590
Over on the right side,

8
00:00:20,590 --> 00:00:24,850
you see a representative properties sheet from Active Directory users

9
00:00:24,850 --> 00:00:28,120
and computers that when you enable this extension,

10
00:00:28,120 --> 00:00:31,150
you have a new tab in there called BitLocker recovery,

11
00:00:31,150 --> 00:00:34,310
and this would allow your delegated administrators,

12
00:00:34,310 --> 00:00:41,300
perhaps your help desk staff, to recover that key for users if their machine,

13
00:00:41,300 --> 00:00:44,240
for whatever reason, has triggered BitLocker recovery,

14
00:00:44,240 --> 00:00:47,070
or if you have a server that's done the same thing.

15
00:00:47,070 --> 00:00:48,540
It's a convenience.

16
00:00:48,540 --> 00:00:51,420
You optionally can store the entire key package,

17
00:00:51,420 --> 00:00:55,430
not just the recovery password, it's called a recovery password,

18
00:00:55,430 --> 00:00:59,210
but it's just a numeric string, as you can see in the screenshot,

19
00:00:59,210 --> 00:01:02,910
but you can actually store the whole key package in AD

20
00:01:02,910 --> 00:01:07,250
optionally and that would be if maybe the TPM chip on your

21
00:01:07,250 --> 00:01:11,080
server or client device was corrupted and you needed to restore

22
00:01:11,080 --> 00:01:14,740
the entire package back to the TPM.

23
00:01:14,740 --> 00:01:19,260
So this technology has GUI, or graphical user component.

24
00:01:19,260 --> 00:01:22,140
You can see here the BitLocker Recovery tab.

25
00:01:22,140 --> 00:01:26,330
The BitLocker Recovery Password Viewer is a separate GUI tool that allows,

26
00:01:26,330 --> 00:01:27,070
say again,

27
00:01:27,070 --> 00:01:31,470
a delegated support person to do a search for a server or client

28
00:01:31,470 --> 00:01:39,000
hostname and quickly look up the recovery key. Now let's do a demo, and we can illustrate some of this theory.