339485-182740-629183-047295-718364-920547-463829-154738
Then he remembered: the schema.
He opened the Group Policy Management Console and navigated to: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives Administrative Templates ->
By 4 AM, the rain had stopped. Leo looked out the window. The parking lot lights reflected in the wet asphalt like tiny recovery keys waiting to be read. Windows Components ->
He opened ADSI Edit, found the CN=BitLocker Recovery,CN=Schema,CN=Configuration,DC=contoso,DC=com , and set the security descriptor. Then he built a simple PowerShell tool—a one-liner, really—that any help desk tech could run: BitLocker Drive Encryption ->