This blog focus on Windows operating systems; Windows XP, Windows Vista, Windows 7 and now also Windows 8. The blog covers hints and guides for deploying Windows and using new technologies, solutions to problems which are not common and news related to Windows client operating systems.
Andreas Stenhall, MVP Windows Expert ITPRO
-
Backing up BitLocker recovery keys to Active Directory
Posted on October 21st, 2007 1 commentUsing BitLocker to encrypt your system partition is a very good option to keep the computer and the data on it secure. Starting with Vista SP1 you will be able to encrypt not only the system partition but all the other partitions as well, offering even better security. When you encrypt a partition with BitLocker a recovery key is automatically generated so that you can recover the data on the computer when necessary. By default you have the choice of printing the recovery key or saving it to a USB stick or a network share.
However using a group policy setting (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Turn on BitLocker backup to Active Directory) you can also backup the recovery key to Active Directory, which is a very good suggestion I must say. If you are running Windows Server 2008 you do not have to anything to get this working but if you would like to use Windows Server 2003 with SP1 or later to backup the BitLocker recovery key you must use scripts provided by Microsoft to extend the schema.Microsoft also offer a tool called BitLocker Recovery Password Viewer which can be downloaded directly from Microsoft Premier Services. When this tool is installed it introduce another tab in a computer objects Properties called “BitLocker Recovery” where the BitLocker recovery keys are listed for your viewing pleasure in the case of necessary restoration. The only negative part about the tool is that it can only be installed on a Windows XP or Windows Server 2003 computer as it require that you have installed the “Window Server 2003 Administration tools for SP1” on Windows XP to get the control panel for Active Directory Users and Computers.
UPDATE: I forgot to add the link to the page where you can find all the necessary information as well as the “extend schema”-script. Here it is!
-
Manage ActiveX controls with GPOs in Vista
Posted on October 10th, 2007 No commentsAs you might know there is no good way to control the installation or blocking of ActiveX controls for standard user accounts. Windows Vista introduces a cure to this, and it is called ActiveX Installer Service. This service is not installed by default but can be found in Programs and Features > Turn Windows features on or off. I recommend that you add this component using an unattended answer file in corporate environments. Once installed you can control if a standard user should be able to install certain ActiveX controls or not. I have not found any good step-by-step guides for configuring this so here it comes:
1. When you go to a web site and try to install an ActiveX control, an event is logged in the event viewer specifying the exact origin and http or https address where the ActiveX control resides.
2. Enter the address you found above in the group policy setting “Approved Installation Sites for ActiveX Controls” found in Computer configuration\Administrative templates\Windows Components\ActiveX Installer Service with the additional settings for example 2,2,0,0.
To allow for instance the Windows Genuine Advantage to be allowed to be installed by a regular user you can add the address http://download.microsoft.com with 2,2,0,0. Now you can refresh the policy on your test computer and go to Microsoft Download Center and there try to validate and install the WGA ActiveX control as a regular user account without administrative privileges. Voilà!
