Bitlocker - Not saving Recovery Key to Active Directory
Hello and greetings from Portugal, I'm having a little bit trouble here with Bitlocker that I would like help from anyone. When we encrypt a drive we say that the recovery information should be saved on Active Directory. Unfortunately, for the first machines with didn't set up a policy "Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows Vista)". The problem was that before this policy was applied we had several machines that encrypted and didn't backed up the information to AD so now we have some machines with the drive locked and no recovery passwords. Can anyone please help to know if there's any way to force machines to save the password again to AD? Best regards, Diogo Sousa:: Geeking Around Technological World :: | http://front-slash.blogspot.com
May 23rd, 2012 6:32am

Try this VBScript.. Run it on all of the machines that you need to have backed up to AD. Its not fun to run it on all those machines, but it worked for me. Option Explicit Dim strNumericalKeyID Dim strManageBDE,strManageBDE2 Dim oShell Dim StrPath Dim StdOut, strCommand Dim Result, TPM, strLine Dim Flag, NumericalKeyID Set oShell = CreateObject("WSCript.Shell") '==================================================================================== 'This section looks for the Bitlocker Key Numerical ID strManageBDE = "Manage-BDE.exe -protectors -get c:" 'Bitlocker command to gather the ID Flag = False Set Result = oShell.Exec(strManageBDE)'sees the results and places it in Result Set TPM = Result.StdOut 'Sets the variable TPM to the output if the strManageBDe command While Not TPM.AtEndOfStream strLine = TPM.ReadLine 'Sets strLine If InStr(strLine, "Numerical Password:") Then ' This section looks for the Numerical Password Flag = True End If If Flag = True Then If InStr(strLine, "ID:") Then 'This section looks for the ID NumericalKeyID = Trim(strLine)' This section trims the empty spaces from the ID {} line NumericalKeyID = Right(NumericalKeyID, Len(NumericalKeyID)-4) Flag = False 'Stops the other lines from being collected End If End If Wend strManageBDE2 = "Manage-BDE.exe -protectors -adbackup C: -ID " & NumericalKeyID oShell.Run strManageBDE2, 0, True 'Runs the Manage-bde command to move the numerical ID to AD.
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2012 4:50pm

Hi Drew, First of all, thanks for your reply. Let me see if there's any machine today with that issue and I hope to give you some feedback soon! Best Regards, Diogo Sousa:: Geeking Around Technological World :: | http://front-slash.blogspot.com
May 24th, 2012 4:13am

Hi Drew, Here's an update: Unfortunately the script didn't work. :( I'm getting the error: 'ERROR: The operation cannot be performed because the volume is locked.' Can someone please help? Best Regards, Diogo Sousa :: Geeking Around Technological World :: | http://front-slash.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 5:44am

That appears to be the script from this (http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx) TechNet Blog. Diogo, if you only have a few computers, you can just run the commands manually. The article has instructions for performing the steps manually. The script just simplifies things by automating all the commands. You'll need to make sure that you're (#1) running the commands (or the script) from an Elevated Command Prompt and (#2) with an account that has permissions to write changes to the Computer account in Active Directory. I would definitely encourage you to try out the manage-bde.exe utility as it can be very helpful with other BitLocker tasks. I'd also like to encourage you to check out the Microsoft BitLocker Best Practices (http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx).
May 25th, 2012 3:38pm

That appears to be the script from this (http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx) TechNet Blog. Diogo, if you only have a few computers, you can just run the commands manually. The article has instructions for performing the steps manually. The script just simplifies things by automating all the commands. You'll need to make sure that you're (#1) running the commands (or the script) from an Elevated Command Prompt and (#2) with an account that has permissions to write changes to the Computer account in Active Directory. I would definitely encourage you to try out the manage-bde.exe utility as it can be very helpful with other BitLocker tasks. I'd also like to encourage you to check out the Microsoft BitLocker Best Practices (http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx).
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2012 3:41pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics