I've strange issue with double bitlocker tab having exactly same look. Any idea how I can remove one?
Best Answer
Witnessed on several domains that have gone through upgrades from 2008 to 2012.
The fix outlined below will remove the duplicate BitLocker Recovery tab in ADUC and the duplicate Action > Find BitLocker recovery passwordAction menu option when running ADUC in an English locale only. For other language locales, the process is the same but a different path is used.
Remove Duplicate BitLocker Recovery Tab
Open ADSI Edit, right-click on ADSI Edit top level node, click Connect to...
Select a well known Naming Context: Configuration, click OK. Do not select the Default Naming Context (which is Domain), we want Configuration.
Drill down to Configuration > DisplaySpecifiers > 409 and open up the computer-Display container.
Substitute 409 for other hex code for other (than English) locales.
In the Attribute Editor tab, open adminPropertyPages, select 14,{2FB1B669-59EA-4F64-B728-05309F2C11C8}, and click Remove.
Note that two {2FB1B669-59EA-4F64-B728-05309F2C11C8} entries exist in this attribute. We are removing one of them. In cases where integer prefix is not 13,{GUID} and 14,{GUID} - find yours and remove the greater integer entry.
Remove Duplicate Action > Find BitLocker recovery password Menu Option
Keep ADSI Edit open.
Drill down to Configuration > DisplaySpecifiers > 409 and open up the domainDNS-Display container.
Substitute 409 for other hex code for other (than English) locales.
In the Attribute Editor tab, open adminContextMenu, select 4,{2FB1B669-59EA-4F64-B728-05309F2C11C8}, and click Remove.
Note that two {2FB1B669-59EA-4F64-B728-05309F2C11C8} entries exist in this attribute. We are removing one of them. In cases where integer prefix is not 3,{GUID} and 4,{GUID} - find yours and remove the greater integer entry.
After completing the removals wait for Active Directory replication to complete and open/re-open ADUC on a replicated domain controller. The changes only need to be made once per forest since changes are in the Configuration NC.
I'd also be interested in knowing whether you can run the manage-bde command (from an elevated command prompt) and what it returns for -status and -on.
Enable the GPO setting to backup the BitLocker keys to AD automatically. BitLocker will backup the key first, so it's not possible to get into the situation you have now. There's quite a few other BitLocker GPO Settings too.
Not to get too preachy: Before you go endeavoring into new technologies which might lock people out of their computers permanently, you should really read all the documentation and best practices. MS has published volumes on BitLocker to help people prevent mistakes like this.
Best Answer
Witnessed on several domains that have gone through upgrades from 2008 to 2012.
The fix outlined below will remove the duplicate BitLocker Recovery tab in ADUC and the duplicate Action > Find BitLocker recovery password Action menu option when running ADUC in an English locale only. For other language locales, the process is the same but a different path is used.
Remove Duplicate BitLocker Recovery Tab
Remove Duplicate Action > Find BitLocker recovery password Menu Option
After completing the removals wait for Active Directory replication to complete and open/re-open ADUC on a replicated domain controller. The changes only need to be made once per forest since changes are in the Configuration NC.
Additional Reference
https://support.microsoft.com/en-us/help/928202/how-to-use-the-bitlocker-recovery-password-viewer-for-active-directory