How to backup recovery information in AD after BitLocker is turned ON in Windows 7

How to backup recovery information in AD after BitLocker is turned ON in Windows 7

  • Comments 18
  • Likes

Hello,

My name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “How to backup recovery information in Active Directory (AD) after Bitlocker is turned ON in Windows 7 and above.”

In this blog, I will try to answer a common question asked to us often, ‘How do I save the bitlocker recovery information to Active Directory after bitlocker is enabled?’.

This situation can arise when any of the following conditions are true, but is also not limited to this list:

  1. The machine was bitlocker’ed prior to domain join.
  2. The machine was not connected to the network when bitlocker was enabled, hence the recovery information couldn’t be saved to AD-DS.
  3. Group policy setting to save the recovery information to AD was not enabled at the time of encryption.

To solve this situation, you can use manage-bde.exe command from the client machine to save the recovery information in AD. You do not need to decrypt and re-encrypt the drive to store the recovery information in AD.

Before you use the command line, verify that the client machine has received the group policy setting to save the information to AD. You could review the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE on the client machine for below values:

  • To allow backup of recovery information for operating system drives to AD, the value OSActiveDirectoryBackup should be set to 1.
  • To allow backup of recovery information for fixed data drives to AD, the value FDVActiveDirectoryBackup should be set to 1.
  • To allow backup of recovery information for removable data drives to AD, the value RDVActiveDirectoryBackup should be set to 1.

If these values are not set, you won’t be able to backup the recovery information of respective drive type to AD. In that case verify that the group policy to backup information to AD is configured as per the blog (http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx). Also, ensure that bitlocker group policies are actually applied to the OU, the client is a member of, and the group policy has replicated to the domain controller from which the client receives group policy.

After the group policy is successfully applied on the client machine, open an elevated command prompt and run the below command.

Note: You require local admin rights to run manage-bde commands.

STEP 1: Get the ID for the numerical password protector of the volume, in the example below we are using the C: drive:

manage-bde -protectors -get c:

Example:

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume C: [Old Win7]
All Key Protectors
    External Key:
      ID: {F12ADB2E-22D5-4420-980C-851407E9EB30}
      External Key File Name:
        F12ADB2E-22D5-4420-980C-851407E9EB30.BEK

    Numerical Password:
      ID: {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}
      Password:
        224631-534171-438834-445973-130867-430507-680922-709896

    TPM And PIN:
      ID: {EBAFC4D6-D044-4AFB-84E3-26E435067AA5}

In the above result, you would find an ID and Password for Numerical Password protector.

STEP 2: Use the numerical password protector’s ID from STEP 1 to backup recovery information to AD

In the below command, replace the GUID after the -id with the ID of Numerical Password protector.

manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Recovery information was successfully backed up to Active Directory.

You should now be able to view the recovery information for the volume in the active directory.

For more information on active directory backup of bitlokcer recovery information refer to the TechNet article: http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

In case you have to backup information for multiple machines, you may use the attached sample VBScript which automates backup of recovery information for all encrypted volumes, on the machine.

You may execute the attached script from an elevated command window.

For Example: cscript BDEAdBackup.vbs

This script writes logging information to C:\WINDOWS\TEMP\BDEAdBackup.log file.

Disclaimer:

© 2013 Microsoft Corporation. All rights reserved. Sample script provided in this blog is not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

We hope this blog helped you understand and address the situation. 

Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Customer Service and Support
Himanshu Singh
Support Escalation Engineer
Microsoft Customer Service and Support
 

Attachment: BDEAdBackup.vbs
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Very informative thanks for sharing.

  • Thanks Manoj,

    Any way to get only the IDs returned in an array, to build a script around it?  There's a really nice vbs on the MS site that will enable the TPM and Bitlocker and store the keys. http://go.microsoft.com/fwlink/?LinkID=151997

    But as far as I can tell, if it finds the drive is bitlocker enabled already, it doesnt check to see if the recovery key is in AD and put it there if not.

    I might like to try to modify it to do so.

  • Very helpful.  However, I've run into a similar situation where I'm migrating BitLocker enabled machines into a new domain, but the version of manage-bde that comes with Vista does not appear to support the -adbackup parameter.  Is there some alternative way of forcing the recovery key to back up to AD for Vista?    

  • Found my own answer.  For Vista machines that aren't backing up the recovery password to AD, the following two commands will regenerate the recovery password and trigger the backup to AD.  

    manage-bde -protectors -delete c: -type recoverypassword

    manage-bde -protectors -add c: -recoverypassword

  • Hi Guys,

    I have a Vista machine and im suffering from the same problem.

    i tried rufferto's suggestions, but now i get an error when i try to add a recovery password:

    ERROR: There was an error while trying to add a Numerical Password protector (code 0x8007054B)

    Any suggestions?

  • I've seen the same error message on a W2K8 server that was configured to save the recovery key and the recovery package to AD DS. After removing the policy I was able to encrypt the volume.

  • Hi,

    Does anybody knows is there a way to manually store the TPM Owner Information (msTPM-OwnerInformation attribute) to AD DS using script or command line?

  • Hi Manoj,

    this is a top-article! Really super useful information and great vbs.  I just used your script to update all bitlocker keys via SCCM in our environment.

    Thanks again!

    Christophe

  • I got the Bitlocker info up and I know the attribute for msTPM Ownership is correct + permissions set but which ID should be used to push TPM up to AD?

  • how to Export ALL Bitlocker Recovery Keys from Microsoft Windows Active Directory

  • I would really appreciate if CVOS or someone else could tell me how to use SCCM to update all the BitLocker Keys

  • how do you manually backup the msTPM Ownership info ? I found the only way to get the msTPM Ownership into active directory after a computer has been encrypted is to suspend bitlocker then clear the tpm. Only then does tpm reinitialize and write the msTPM Ownership to active directory

  • I'm trying to use the BDEADbackup.vbs script from this post.  Thanks for the great post but the script gives me an error on line 41.  there's a line continuation character but I'm not sure what should be on the next line.  I've included the code here below.  The set line is where I get the error when trying to run the code.

    Private Function GetEncryptedVolumes()

    Set GetEncryptedVolumes = GetObject(wmiSec & VolEnc & ":Win32_EncryptableVolume").Instances_

    If Err <> 0 Then

    objFile.WriteLine "Unable to connect to Win32_VolumeEncryption WMI Class" & vbNewLine & _

    "Bitlocker may not be enabled on this machine." & VbCrLf & _

    "Error Returned:" & vbNewLine & err.number & vbTab & err.description

    wscript.quit

    End If

    Err.clear

    End Function

  • HI can we discuss more on this bitlocker

  • I noticed slight problem with the script - even if it cannot store recovery key to AD (I had GPO miss configured), the script does return succsess code. Only in log file the reason can be read. But if I deploy this with the SCCM, there will be 100% success deployment, even if it fail to write key to AD.