Ten minutes later, he refreshed the VP’s computer object in AD. Clicked the Attribute Editor. Scrolled down.
He opened ADSI Edit, found the CN=BitLocker Recovery,CN=Schema,CN=Configuration,DC=contoso,DC=com , and set the security descriptor. Then he built a simple PowerShell tool—a one-liner, really—that any help desk tech could run: Ten minutes later, he refreshed the VP’s computer
The rain hadn’t stopped for three days. It tapped against the data center windows like a nervous finger, matching the rhythm of Leo’s headache. He’d been on the phone with the VP of Sales for two hours—a man whose laptop had decided, at 11 PM on a Friday, that its TPM was a stranger. He’d been on the phone with the VP
He knew the next step: delegate the msFVE-RecoveryInformation object’s Read property to the Help Desk group. Not Domain Admins. Not everyone. Just the people who answer the phones at 2 AM. at 11 PM on a Friday
Simply having the viewer wasn't enough; the laptops needed to be told to send their keys to the "vault." Alex opened the and created a new GPO named "BitLocker-AD-Backup".