“Now reboot,” he whispered to no one.
Double-clicked. Enabled. Then checked the box that made his heart rate climb:
So he did the thing you’re not supposed to do. He found the script online—from a Microsoft GitHub archive—and ran it against the schema master. “Now reboot,” he whispered to no one
Leo had tried the usual tricks. Checked BitLocker in the control panel. Looked for the USB key in the corporate safe. Called the help desk. Nothing.
He pulled up the Active Directory Users and Computers MMC, navigated to the VP’s computer object, and right-clicked. Properties. Nothing. He checked the “Attribute Editor” tab—the one most admins never touch because it looks like the cockpit of a 747. Then checked the box that made his heart
He opened ADSI Edit, found the CN=BitLocker Recovery,CN=Schema,CN=Configuration,DC=contoso,DC=com , and set the security descriptor. Then he built a simple PowerShell tool—a one-liner, really—that any help desk tech could run:
Get-ADObject -Filter ObjectClass -eq "msFVE-RecoveryInformation" -SearchBase "OU=Workstations,DC=contoso,DC=com" -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPassword He saved it as Get-BitLockerKey.ps1 and put it on a secured network share. No more hunting through attribute editors. No more schema panic. Checked BitLocker in the control panel
He set the second dropdown to Store recovery passwords and key packages . Then, in the field below, he typed a name for the AD container: BitLockerRecovery .