I am looking for an automated way to backup the recovery key for bitlocker in the EXACT format you see when in Bitlocker Driver Encryption in control panel and then selecting "Back up your recovery key".  This will take you through a wizard to back up a key to a .txt file with the Identifier in the name of the file..  Example:

BitLocker Recovery Key XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.txt.

We are in between potential moving from another product to Bitlocker and the initial testing and acceptance phase was to save off the keys to a secure location in the format shown above.  There have been a handful where we have completed this manually as mentioned above. Until we can integrate an infrastructure to manage the keys, next step is to automate the keys being backed up in the same manual method.

I have not found a set of command prompts using manage-bde to save the file with ID in the name containing the Identifier and Recovery Key.  Also have been looking at WMI.  I have been trying to track down how the wizard gathers the data to create the text file....ideally, we'd call this same thing from a command prompt.

Any help is appreciated.

Thanks

Hi.

You could as well dump all the files to a folder and have windows search search inside the contents for the identifier ->finds it in seconds, so naming does not add any value.

You should use AD backup and the question would not even arise.

Anyway, you say you used manage-bde already, I guess like in

manage-bde -protectors -get c: -type RecoveryPassword >\\server\BLBackup\%computername%.txt

If you insisted on using the same format as the wizard does, you would need to read out the ID, first, like in

manage-bde -protectors -get c: -type RecoveryPassword | findstr ID

and work with that ID, but I don't see why this would be of any use - I wonder what you need that special file naming format for? Will it help you in the restore process to identify the file?

Hi.

You could as well dump all the files to a folder and have windows search search inside the contents for the identifier ->finds it in seconds, so naming does not add any value.

You should use AD backup and the question would not even arise.

Anyway, you say you used manage-bde already, I guess like in

manage-bde -protectors -get c: -type RecoveryPassword >\\server\BLBackup\%computername%.txt

If you insisted on using the same format as the wizard does, you would need to read out the ID, first, like in

manage-bde -protectors -get c: -type RecoveryPassword | findstr ID

and work with that ID, but I don't see why this would be of any use - I wonder what you need that special file naming format for? Will it help you in the restore process to identify the file?

• Proposed as answer by MeipoXuMicrosoft contingent staff, Moderator 23 hours 45 minutes ago

Hi.

You could as well dump all the files to a folder and have windows search search inside the contents for the identifier ->finds it in seconds, so naming does not add any value.

You should use AD backup and the question would not even arise.

Anyway, you say you used manage-bde already, I guess like in

manage-bde -protectors -get c: -type RecoveryPassword >\\server\BLBackup\%computername%.txt

If you insisted on using the same format as the wizard does, you would need to read out the ID, first, like in

manage-bde -protectors -get c: -type RecoveryPassword | findstr ID

and work with that ID, but I don't see why this would be of any use - I wonder what you need that special file naming format for? Will it help you in the restore process to identify the file?

• Proposed as answer by MeipoXuMicrosoft contingent staff, Moderator Thursday, July 02, 2015 7:37 AM

Hi.

You could as well dump all the files to a folder and have windows search search inside the contents for the identifier ->finds it in seconds, so naming does not add any value.

You should use AD backup and the question would not even arise.

Anyway, you say you used manage-bde already, I guess like in

manage-bde -protectors -get c: -type RecoveryPassword >\\server\BLBackup\%computername%.txt

If you insisted on using the same format as the wizard does, you would need to read out the ID, first, like in

manage-bde -protectors -get c: -type RecoveryPassword | findstr ID

and work with that ID, but I don't see why this would be of any use - I wonder what you need that special file naming format for? Will it help you in the restore process to identify the file?

• Proposed as answer by MeipoXuMicrosoft contingent staff, Moderator Thursday, July 02, 2015 7:37 AM

Hi.

You could as well dump all the files to a folder and have windows search search inside the contents for the identifier ->finds it in seconds, so naming does not add any value.

You should use AD backup and the question would not even arise.

Anyway, you say you used manage-bde already, I guess like in

manage-bde -protectors -get c: -type RecoveryPassword >\\server\BLBackup\%computername%.txt

If you insisted on using the same format as the wizard does, you would need to read out the ID, first, like in

manage-bde -protectors -get c: -type RecoveryPassword | findstr ID

and work with that ID, but I don't see why this would be of any use - I wonder what you need that special file naming format for? Will it help you in the restore process to identify the file?

• Proposed as answer by MeipoXuMicrosoft contingent staff, Moderator Thursday, July 02, 2015 7:37 AM
• Marked as answer by Bruce WoodingModerator Tuesday, July 21, 2015 10:36 PM

Hi.

You could as well dump all the files to a folder and have windows search search inside the contents for the identifier ->finds it in seconds, so naming does not add any value.

You should use AD backup and the question would not even arise.

Anyway, you say you used manage-bde already, I guess like in

manage-bde -protectors -get c: -type RecoveryPassword >\\server\BLBackup\%computername%.txt

If you insisted on using the same format as the wizard does, you would need to read out the ID, first, like in

manage-bde -protectors -get c: -type RecoveryPassword | findstr ID

and work with that ID, but I don't see why this would be of any use - I wonder what you need that special file naming format for? Will it help you in the restore process to identify the file?

• Proposed as answer by MeipoXuMicrosoft contingent staff, Moderator Thursday, July 02, 2015 7:37 AM
• Marked as answer by Bruce WoodingModerator Tuesday, July 21, 2015 10:36 PM

I completely agree we need to use AD and more than likely the support area managing encryption will eventually move that way.  Our security area also is at play with specifications they want. I play the cards I'm dealt until I can ask for more cards.  We are implementing a small number of specific machines with BitLocker and the direction was set to use the format addressed above using the ID in the name of the file so if a customer is to call in, reading the ID off, will then find the specific file as named. That is why that is of any use.

In the meantime, I was able to use a similar command you provided although yours might generate the ID up front and would have been more efficient, but I used the -get command to dump to a file, then read through the file until found "NumericalPassword:", extracted and parsed down the next line and used it as a variable to rename the file as I wanted to match how their manual process has been implemented so far.

Thanks for your response.

Hi TedRed,

We wonder if the method as Ronald posted worked.

Is there anything to update about this case?

Best regards

Yes....Ronald's suggested proved we were on the right track. We ended up doing essentially what he suggested with a little different output as we were requested to have the output the same as how manually making the end format : BitLocker Recovery Key XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.txt.

I'm sure there might be more simple way of doing this, but using vbscript ran the following:

"cmd /c manage-bde -protectors c: -get>" & chr(34) & "C:\Program Files\folder\Bitlocker.txt" &chr(34),1,True

Once the .txt was in place, parsed through the text file until I found "    Numerical Password:", grabbed the recovery key and used it as a variable to rename the file as we were requested. Because we were running this through MDT, also needed authentication to a network share to copy this file.  Not an ideal method of saving keys, but there are no machine names associated to any of the files and there is no real infrastructure in place for Bitlocker. It was something we were asked to do for a small faction of the company on short notice.

It's something I thought to do from the beginning, but was hoping since MS already had something in place behind the GUI, it would be a simple set of commands, but nothing came to fruition.