none
Deleting msFVE-RecoveryInformation entries with ADSIEdit.msc

    Question

  • A computer is bitlocked using a recovery password and saved text file, and the recovery information is stored in AD. The computer is imaged to a file on a network share using any imaging software (Macrium Reflect in this case) so we can change the hard drive. When the image is restored, Windows is no longer bitlocked, so we bitlock it again. The computer object in AD now has two .

    Is it safe to use AdsiEdit.msc to delete the unused (old) msFVE-RecoveryInformation entry?

    Windows 2012 r2 AD

    Thank you.

    msFVE-RecoveryInformation entries
    • Edited by TLJ91021 Friday, April 21, 2017 11:56 PM
    Friday, April 21, 2017 6:33 PM

All replies

  • Hi,

    I recommend you remove the unused information with a more secure method. To delete the recovery password information in AD, you can refer to the “GetBitLockerKeyPackageADDS.vbs” script in following link to modify the part which saves the ms-FVE-RecoveryInformation object information to delete it based on ID or password.

    http://technet.microsoft.com/en-us/library/cc771778(WS.10).aspx#BKMK_AppendixC

    More articles for your reference:

    BitLocker and Active Directory

    https://blogs.technet.microsoft.com/askds/2009/08/18/bitlocker-and-active-directory/

    BitLocker Drive Encryption and Active Directory

    https://blogs.technet.microsoft.com/askcore/2011/03/09/bitlocker-drive-encryption-and-active-directory/

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 24, 2017 7:46 AM
    Moderator
  • Ok so I read through all the info you provided, but am having difficulty determining why I would modify the script "part which saves the ms-FVE-RecoveryInformation object information to delete it" would be any safer than deleting the the extra ms-FVE-RecoveryInformation object visually straight from adsiedit.

    In the blog article you listed it states "There are zero functions AD will perform to validate, maintain or update this information. This is completely handled by BitLocker. BitLocker does not notify AD of a drive decryption so the ms-FVE-RecoveryInformation object does not get removed. So if the user re-encrypts the drive, then Bitlocker will sync new information to AD. So what you will see is two entries for the same drive."

    Again there's no mention about deleting the extraneous entry. So back to the original point of my question, "is it safe to delete the second entry with adsiedit", are you simply suggesting I backup all entries with the GetBitLockerKeyPackageADDS.vbs script before using adsiedit to visually delete the already identified unused second entry?

    Thank you.
    Tuesday, April 25, 2017 5:54 PM
  • Hi,

    I haven’t tried deleting the unused (old) msFVE-RecoveryInformation entry using AdsiEdit.msc.

    Below thread discuss the similar requirement:

    Is it safe to delete old bitlocker keys from AD

    https://serverfault.com/questions/799116/is-it-safe-to-delete-old-bitlocker-keys-from-ad

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    It is always recommended to perform a backup before doing any modification with AdsiEdit.msc.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, April 28, 2017 11:14 AM
    Moderator