How to delegate access to BitLocker Recovery information in Active Directory

 

Symptoms

When you use Active Directory to store BitLocker Recovery passwords, this information by default is only available for members of the Domain Administrators group. Adding Read permissions to the Recovery Information objects does not enable other groups to read the BitLocker recovery passwords from Active Directory.

Cause

When Windows stores BitLocker Recovery information in Active Directory, it is storing confidential information in the directory as clear text. At the time Active Directory was developed by Microsoft, the only way to hide information from member users in AD was by encrypting that information. In order to hide the BitLocker Recovery Passwords from ‘ordinary’ users in AD, Microsoft introduced a new feature in Active Directory. With Service Pack 1 for Windows Server 2003, Microsoft added the ‘confidentiality bit’ to the searchFlags attribute in the Active Directory Schema. All objects created with the Confidentiality bit set to 1, are only available for users who have full control access to that object. These objects are hidden for other users in Active Directory.BitLocker stores objects of the type MSFVE-RecoveryInformation in Active Directory with the confidentiality bit set to 1. This way, these objects only show for users who have Full Control access to these objects. By default Domain Administrators have Full Control access to all objects in Active Directory.

Resolution

In order to delegate access to BitLocker Recovery Information objects in Active Directory to users that are not a member of the Domain Administrators group, Full Control access must be provided to these users. This can be done by a member of the Domain Administrators group using the Delegation of Control Wizard in the Active Directory Users & Computer console (DSA.MSC).

Use the following procedure to enable access to BitLocker Recovery Information on the Domain level to a group named “BitLocker Admins” in Active Directory:

  1. In ActiveDirectory Users & Computers, right click the domain name and select Delegate Control…
  2. In the first dialog of the Delegation of Control Wizard, click Next
  3. In the Users or Groups dialog, add the group or users for delegation (ie. BitLocker Admins) to the list and click Next
    SelectGroup
  4. In the Tasks to Delegate dialog, select Create a custom task to delegate and click NextCreateCustomTaskToDelegate
  5. In the Active Directory Object Type dialog, select Only the following objects in the folder.
  6. In the list select msFVE-RecoveryInformation objects and click Next

DelegateControlofmsFVERecoveryInformation objects

  • In the Permissions dialog, select Full Control under Permissions and click Next
  • DelegatePermissionsFullControl

  • Click Finish
  • Now members of the BitLocker Admins group that are not a member of Domain Admins can read BitLocker Recovery Information in Active Directory.

    More information

    How to mark an attribute as confidential in Windows Server 2003 Service Pack 1

    Advertisements
    Posted in BitLocker, Windows 7 | 5 Comments

    Customizing Windows Help and Support in Windows 7

    During my TechEd sessions I noticed that hardly anyone succeeded to customize Windows Help and Support. I think this is the most logical place for users to start searching for support, it seems very hard for OEMs and Enterprises to enter their information in this section of the operating system.

    If you brand you PC. Where would you add your information for users to find support?

    I think the answer to this one is simple: In the built-in Help system.

    Practice has proven that this hardly ever happens. Ever since I used Windows there has been a registry location to add OEM information in the OS. That information then appears with the system properties when requested.

    Adding this information is simple. Just add the following values in the registry and you’re set:

    HKLM\Software\Microsoft\Windows\CurrentVersion\OEMInformation

    • Manufacturer (string)
    • Model (string)
    • SupportHours (string)
    • SupportPhone (string)
    • SupportURL (string)
    • Logo (string)

    The Logo value points to the location of a bitmap with a maximum size of 120 x 120 pixels.

    Customized System Properties Page

    This customization currently is the only mandatory location for OEMs and system builders to brand their systems. Personally I think they don’t care, because no user will ever find the information anyway.

    The only logical location for an ordinary user who needs help while using Windows to me is the Help and Support link located in the start menu. The default view in Windows 7 hardly shows any useful information, but allows a user to search for all sorts of information in the Windows Help database.

    As the system administrator you can easily modify two pages in Windows Help that are know as the Windows Help Home page and the escalation page that can be reached by clicking “More information” in the bottom of the screen.

    DefaultHelpHomeDefaultHelpEscalation

    The mission to change Windows Help and Support may seem hard at first. And that is for a number of reasons:

    • Windows Help files are created in AML or Assistance Markup Language. This is a mixture of HTML and XML. Experience has proven you will hardly find anyone who masters this language. Even though I noticed that HP must have one, as they have a beautifully crafted Help customization in place on their OEM branded machines. Information about AML can be found in the Help Authoring Guide that comes with the Windows AIK and Windows OPK.
    • Windows Help files must be compiled before they can be implemented. The help compiler may be hard to find when you mostly work with 64 bit systems. This is because the compiler is not there when you install the Windows AIK or Windows OPK on these systems. When you install the Windows AIK or Windows OPK on a 32-bit system, the compiler is there in the folder C:\Program Files\Windows AIK\SDKs\Help Compiler or C:\Program Files\Windows OPK\SDKs\Help Compiler, depending on the installed installation kit. The Help Compiler installed on a 32-bit system will work on a 64-bit system if you just copy the files to the 64-bit system.
    • To enable Help Customization you must install a Windows feature. For some reason I still don’t understand, Microsoft has decided to create two features for Help Customization. One for OEMs and System Builders, and one for corporations. But customizations have a separate URL to insert the customization, but the result looks the same from the end user perspective.

    When first investigating the possibility to customize Windows Help and Support, I noticed that the information in the Windows OPK and Windows AIK is not very clear. But it can be done. Especially when you start from the sample files that come with the Windows AIK and Windows OPK.

    The sample files that come with these packages can be found in the folder C:\Program Files\Windows AIK\Samples\Help Customizations or C:\Program Files\Windows AIK\Samples\Help Customizations, depending on the installed installation kit. In this folder you will find the following contents:

    • A file HelpConfig.XML
    • A folder structure:
      • Fabrikam Source
        • En-us
          • HelpHome
            • Topics
            • Resource
          • Escalation
            • Topics
            • Resource

    The files in the Fabrikam Source folder are there to complete the set of compiled help files. For this case we will copy these files to a folder C:\HelpSetup\en-us. If you are working with the Windows AIK, all file names have the prefix corporate_. When working with the Windows OPK, all files have the prefix OEM_.

    Copy both the HelpHome and Escalation folders to C:\HelpContent. From now on we will only work with the contents of these two newly created folders.

    In both folders named Topics under HelpHome and Escalation, you will find an XML file that contains readable in formation about Fabrikam in the AML format. For HelpHome this is HelpHome.xml and for Escalation this is Escalation.xml. You can edit the text in XML to reflect your company information.

    Both Topics folders contain the artwork for Fabrikam and a RSS file. You can replace the PNG file with a file that contains your logo as long as it has the same pixel size.

    After you have edited the contents of the XML files, you can compile the help content for HelpHome and Escalation.

    Make sure you have the Help Compiler available on the computer (see the third bullet above). Then run the following commands:

    Apcompnt.exe -p C:\HelpContent\HelpHome\HelpHome.h1c -o C:\HelpSetup\en-us\HelpHome.h1s

    Apcompnt.exe -p C:\HelpContent\Escalation\Escalation.h1c -o C:\HelpSetup\en-us\Escalation.h1s

    This creates the full set of compiled help files in C:\HelpSetup\en-us. If you are working with another language then English, rename the en-us folder according to your language standard. In the Netherlands the folder would be named nl-nl.

    Now we have to prepare a file named HelpConfig.XML to tell windows where the compiled help files are located and where the contents should be inserted in the help file. The file HelpConfig.XML that can be found in C:\Program Files\Windows AIK\Samples\Help Customizations or C:\Program Files\Windows OPK\Samples\Help Customizations. Open the file in Notepad.

    In the contents of the file you will find 2 settings that are of concern in this case:

    1. A URL referring to the location of the compiled help files
    2. The locations where HelpHome and the Escalation pages will be inserted in Windows Help and Support

    The location for the compiled help files in the sample HelpConfig.xml file is \\YOURMACHINENAME\Fabrikam_Content\. Replace this text with the location of the compiled help files (f.e. C:\HelpSetup or \\<systemname>\HelpSetup).

    The location where to insert the custom help content is referred to in urls with the mshelp:// prefix. You will notice that the two urls with this prefix say mshelp://oem. This is the prefix for OEMs that use the OPK to customize Windows Help. If you are running the Windows AIK you have to change these prefixes from mshelp://oem to mshelp://corporate. If you are running the Windows OPK, you can leave these URLs alone.

    Now save the file as C:\Windows\Help\HelpConfig.xml on the system(s) that will get the customized Help and Support feature.

    With all files in place you are now ready to customize Windows Help and Support by enabling a Windows Feature on the machine. When using the Windows AIK, the feature is called CorporationHelpCustomization. If you are working with the Windows OPK the feature name is OEMHelpCustomization.

    You can enable the feature with DISM from the command line as follows:

    1. Start CMD.exe with Administrative privileges
    2. When using the Windows AIK, run the following command:
      dism /online /enable-feature /featurename:CorporationHelpCustomization
    3. When using the Windows AIK, run the following command:
      dism /online /enable-feature /featurename:CorporationHelpCustomization

    This will install the feature and customize the Help Home and Escalation pages for Help and Support.

    If the command fails, it will refer to dism.log for more information. That file will refer to CBS.log, where you will find the actual reason why the installation of the HelpCustomization feature failed.

    FabrikamHelpHomeFabrikamHelpEscalation

    If you are customizing the Help and Support feature from an automated installation, then you have to make sure that the compiled help files and HelpConfig.XML are in place on the installing system. You can do this from the $OEM$ folder and then enable the feature in the unattend.xml file.

    I hope this explanation will enable more people to create a branded Help and Support feature that enables their users more easily find support information on their corporate systems.

    Posted in Customizations, Windows 7 | 17 Comments

    Is Windows 7 RTM so good that SP1 needs no real improvements?

    Yesterday, Microsoft started the announcements about Windows 7 and Windows Server 2008 R2 SP1. The one thing that struck me was the fact that Windows 7 will only get some minor updates and bug fixes from the Service Pack. Even though Windows 7 is sweet and looks very good from the beginning, I think there still are a few rough edges in the OS to work on. I was really hoping that Microsoft did some work to add some more sweetness to Windows 7. But I’m afraid that we have to wait a little bit longer. Here is my shortlist of issues to be fixed or better said features to be finished and enhanced in an upcoming update of the OS.

    1. Libraries

    Libraries in Windows 7 are a wonderful thing as long as your data is on the local system or made available offline with the offline files option. The problem is that this is exactly where the story ends. Many people have been plagued with the dreadful "this location cannot be added because it is not indexed" message when they try to add a network shared folder to their libraries. The current solutions are:

    1. Make the added location available offline
    2. Index the data on the server (therefore it must be a Windows Service)
    3. Complete disable the search feature for all libraries in Group Policy and lose file search in the start menu at the same time.
    4. Use an unsupported method by fooling the OS into thinking the data is local while it isn’t.

    Why not have an option to disable the indexing requirement per library? This is much less intrusive than option C, that removes more functionality than any user would want. You can also read about this in my blog at www.xpworld.com.

    2. Libraries for system admins

    Libraries are nice from the end-user perspective, but what happened to the administrator’s perspective? Why can administrators still only redirect the My Document, My Pictures, My Music etc. folders and not configure the complete contents of the library. I would have loved to add the departmental share to the documents library for my users from a policy instead of fixing this by hand on each system. When I can configure libraries from Group Policy? Microsoft please also add the option to export and import library configurations as implemented in the Win7 Library Tool?

    3. Search support for Distributed File System (Dfs)

    Distributed File System was once one of Microsofts first attempts to virtualize the network. Nowadays it seems that Microsoft is moving away from this really useful feature that allows administrators to hide the name of the actual file server from a user by creating a Dfs share. Windows Search that is needed to add file locations to a library doesn’t work when you connect the shared folder through Dfs. Users have to connect to the actual file server and now the advantage of Dfs is gone. Microsoft, please add Dfs support to Windows Search.

    4. Multiple sound devices per source in Windows

    I have been a Media Center fan for quite some time. And this one really bugs me. In Windows XP Media Center I was able to connect my TV to the stereo jack of my PC and my receiver to the SPDIF connector and then play my media to both outputs at the same time. I then got stereo from the TV and Dolby Surround or DTS from the receiver. Since Microsoft changed the sound driver model for Windows Vista, I now have to choose which output I like to use. Now my Media Center is playing through the receiver all the time, because switching requires me to use the mouse or walk through the Media Center wizard to reconfigure the output. Microsoft, please enable multiple sound devices for a single application in Windows 7? Especially for Media Center.

    5. Why did my system wake from sleep?

    Now that Windows finally has a decent sleep option, most of my systems are no longer switched off when I don’t use them. The only problem is that these systems sometimes seem to wake up for no reason at all. I already found out that most of the time the cause of the awakening can be found in the event log. I also found out that PowerCfg.exe allows to configure what devices can wake a system from sleep. Why did I have to dig into a command line to list the devices that can wake up my systems and fix this? This should be part of the control panel applet that manages power features in Windows 7. Microsoft, please extend the Power Management GUI with an option to configure devices that can wake the system from sleep.

    This is just my little wish list for Windows 7, but I am sure there must be more. It truly bugs me that the current announcements for SP1 do not mention any significant enhancements to make Windows 7 even better than it already is. Or am I just impatient and did Microsoft wait with the announcements that really matter?

    Posted in Windows 7 | 10 Comments

    Windows 7 Libaries: This network location can’t be included because it is not indexed

    Symptoms

    When you include a shared folder on a remote system in a Windows 7 library, you receive a message that resembles the following:

    This network location can’t be included because it is not indexed

    Cause

    The folders included in a library are indexed by default to support full content search and rich metadata. Indexing these folders enables fast, full-text searches of library locations, from Windows Explorer or from the Start menu. Library locations must be available for local indexing or remotely indexed conforming to the Windows Indexing Protocol. If the location that you try to include is not indexed in one of those ways, you get the above message.

    Resolutions

    • When including local folders, make sure the folder is indexed. Use the Indexing Options from the control panel to add the folder or disk to the local index.
    • When including a remote folder and the folder is located on a remote system running Windows Server 2003 or Windows XP, Windows Desktop Search 4.0 must be installed to support the Windows Indexing Protocol. The shared folder must be indexed to support remote indexing.
    • When the shared folder is located on Windows Server 2008 or Windows Server 2008 R2, the File Services Role must be installed with the Windows Search Service role service. When the role and role service is enabled, make sure the shared folder is included in the index. Use the Indexing Options from the control panel to add the folder or disk to the local index.
    • When the shared folder is on a system running Windows Vista or Windows 7, the indexing service is installed by default.
    • When the shared folder is on a NAS or non-Windows system, you should enable the group policy setting: Turn off Windows Libraries features that rely on indexed file data under User Configuration \ Administrative Templates \ Windows Components \ Windows Explorer. This policy disables advanced functionality for libraries. When the policy is enabled you have:
      • No support for metadata browsing via Arrange By views.
      • Only basic text “Grep-only” searches.
      • Grep-only search suggestions. The only properties available for input suggestions are Date Modified and Size.
      • No support for searching from the Start menu. Start menu searches do not return files from basic libraries.
      • No previews of file snippets for search results returned in Content mode.

    Other methods to include remote shares in libraries that do not support the Windows Indexing Protocol, like creating symbolic links to remote locations with mklink, may lead to unexpected behavior and are not supported.

    More information

    More information about using libraries can be found at the Technet Web site.

    Posted in Windows 7, Windows Server 2008, Windows Server 2008 R2 | 4 Comments

    Windows 7 for XP Professionals

    Yesterday I finished my next book Windows 7 for XP Professionals. The book will be released on November 6 and will be available in the conference book store at Tech Ed in Berlin on November 9-13.
     
    More information about the new book and added materials can be found at www.7forxpprofessionals.com.
    Posted in Windows 7 | Leave a comment

    My profile at Microsoft.com

    I just noticed that my picture and profile are currently showcased on the Microsoft Springboard site.

    Spread the word and meet me at Tech Ed 2009 next week in LA.

    Posted in Uncategorized | Leave a comment

    Member of the Springboard Series Technical Experts Panel (STEP)

    It’s been a while since I posted here. A lot has happened since my last post. Currently I am working as the lead solution architect in project building a worldwide Active Directory and mail infrastructure. This time I am focusing on Windows Server 2008, Active Directory and networking.

    Another exiting development is the fact that I am selected as a member of the Springboard Technical Expert Panel (STEP)!

    STEP is an initiative of the Springboard Series team.

    The Springboard Series Technical Expert Panel (STEP) Program has been created to build community and advocacy for a Windows 7 and Windows Server 2008 R2 launch "by the community, for the community." In an effort to drive global awareness and value of Windows 7 and Windows Server 2008 R2 through Springboard Series, a program is created that will expand reach beyond typically-attended Microsoft events like Tech-Ed by activating top IT Pro community influencers within the Microsoft, MVP, and MCT communities.

    This new program will:

    • deliver content across the globe via the advanced technical knowledge from this select "virtual" team of IT pro experts
    • offer IT Pros community-created instructional tools and resources for further learning of Windows Client products
    • help build a pool of highly recognized influencer evangelists toward the strategy of ensuring that Windows 7 and Windows Server 2008 R2 are launched "for the community, by the community"

    As a member of STEP you’ll probably hear more from me in the near future. The benefits of the program involve:

    • Working with the Springboard Team at Tech Ed US or EMEA (I’ll be at both events)
    • Being a part of the "Opening Windows" campaign
    • Accessing First look seminars at new Windows 7 content before it gets released to the general public
    • Worldwide speaking opportunities
    • Participate in Virtual Roundtables with Mark Russinovich
    • Access to product teams for Q&A at Microsoft events

    Unfortunately I will not be in the panel at the Virtual Roundtable event on February 12th, but I’m thrilled to take my virtual seat next to Mark Russinovich.

    Posted in Uncategorized | 1 Comment