Bitlocker - Not saving Recovery Key to Active Directory
Hello and greetings from Portugal,
I'm having a little bit trouble here with Bitlocker that I would like help from anyone.
When we encrypt a drive we say that the recovery information should be saved on Active Directory. Unfortunately, for the first machines with didn't set up a policy "Store BitLocker recovery information in Active Directory Domain Services(Windows Server
2008 and Windows Vista)".
The problem was that before this policy was applied we had several machines that encrypted and didn't backed up the information to AD so now we have some machines with the drive locked and no recovery passwords.
Can anyone please help to know if there's any way to force machines to save the password again to AD?
Best regards,
Diogo Sousa:: Geeking Around Technological World :: | http://front-slash.blogspot.com
May 23rd, 2012 6:32am
Try this VBScript.. Run it on all of the machines that you need to have backed up to AD. Its not fun to run it on all those machines, but it worked for me.
Option Explicit
Dim strNumericalKeyID
Dim strManageBDE,strManageBDE2
Dim oShell
Dim StrPath
Dim StdOut, strCommand
Dim Result, TPM, strLine
Dim Flag, NumericalKeyID
Set oShell = CreateObject("WSCript.Shell")
'====================================================================================
'This section looks for the Bitlocker Key Numerical ID
strManageBDE = "Manage-BDE.exe -protectors -get c:" 'Bitlocker command to gather the ID
Flag = False
Set Result = oShell.Exec(strManageBDE)'sees the results and places it in Result
Set TPM = Result.StdOut 'Sets the variable TPM to the output if the strManageBDe command
While Not TPM.AtEndOfStream
strLine = TPM.ReadLine 'Sets strLine
If InStr(strLine, "Numerical Password:") Then ' This section looks for the Numerical Password
Flag = True
End If
If Flag = True Then
If InStr(strLine, "ID:") Then 'This section looks for the ID
NumericalKeyID = Trim(strLine)' This section trims the empty spaces from the ID {} line
NumericalKeyID = Right(NumericalKeyID, Len(NumericalKeyID)-4)
Flag = False 'Stops the other lines from being collected
End If
End If
Wend
strManageBDE2 = "Manage-BDE.exe -protectors -adbackup C: -ID " & NumericalKeyID
oShell.Run strManageBDE2, 0, True 'Runs the Manage-bde command to move the numerical ID to AD.
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2012 4:50pm
Hi Drew,
First of all, thanks for your reply.
Let me see if there's any machine today with that issue and I hope to give you some feedback soon!
Best Regards,
Diogo Sousa:: Geeking Around Technological World :: | http://front-slash.blogspot.com
May 24th, 2012 4:13am
Hi Drew, Here's an update: Unfortunately the script didn't work. :( I'm getting the error: 'ERROR: The operation cannot be performed because the volume is locked.' Can someone please help?
Best Regards, Diogo Sousa
:: Geeking Around Technological World :: | http://front-slash.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 5:44am
That appears to be the script from this (http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx) TechNet Blog.
Diogo, if you only have a few computers, you can just run the commands manually. The article has instructions for performing the steps manually. The script just simplifies things by automating all the commands. You'll need to make sure
that you're (#1) running the commands (or the script) from an Elevated Command Prompt and (#2) with an account that has permissions to write changes to the Computer account in Active Directory.
I would definitely encourage you to try out the manage-bde.exe utility as it can be very helpful with other BitLocker tasks. I'd also like to encourage you to check out the Microsoft BitLocker Best Practices (http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx).
May 25th, 2012 3:38pm
That appears to be the script from this (http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx) TechNet Blog.
Diogo, if you only have a few computers, you can just run the commands manually. The article has instructions for performing the steps manually. The script just simplifies things by automating all the commands. You'll need to make sure
that you're (#1) running the commands (or the script) from an Elevated Command Prompt and (#2) with an account that has permissions to write changes to the Computer account in Active Directory.
I would definitely encourage you to try out the manage-bde.exe utility as it can be very helpful with other BitLocker tasks. I'd also like to encourage you to check out the Microsoft BitLocker Best Practices (http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx).
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2012 3:41pm