Microsoft Enterprise Platforms Support: Windows Server Core Team
Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover “How to backup recovery information in AD after Bitlocker is turned ON in Windows 7.”
A common question we are asked is how do I save the recovery information for a Windows 7 machine which has Bitlocker turned ON.
This situation can arise when any of the following conditions are true, but is also not limited to this list:
a) The machine is Bitlocker’ed prior to joining the Domain. b) The machine is not physically connected to the Network when enabling Bitlocker. c) When the GPO for Saving Recovery Information for Bitlocker is not setup correctly.
So when we open Active Directory Users and Computers portion of server manager you do not see msFVE-RecoveryInformation for the machine which was encrypted.
In this situation we can use manage-bde command from the client machine to save the recovery information in AD, instead of decrypting and encrypting the Operating system drive again for storing recovery information in AD. First verify that the client machine is in the correct OU in AD where the Bitlocker group policies are applied and then follow the below steps:
Open elevated command prompt on the client computer and run the below command.
Note: You require local admin rights to run manage-bde commands.
c:> manage-bde -protectors -get c:
Example:
Bitlocker Drive Encryption: Configuration Tool version 6.1.7600 Copyright (C) Microsoft Corporation. All rights reserved. Volume C: [Old Win7] All Key Protectors External Key: ID: {F12ADB2E-22D5-4420-980C-851407E9EB30} External Key File Name: F12ADB2E-22D5-4420-980C-851407E9EB30.BEK
Numerical Password: ID: {DFB478E6-8B3F-4DCA-9576-C1905B49C71E} Password: 224631-534171-438834-445973-130867-430507-680922-709896
TPM And PIN: ID: {EBAFC4D6-D044-4AFB-84E3-26E435067AA5}
If you see results above you should see ID and Password for Numerical Password.
Now run the below command, replace id for ID of Numerical Password.
c:> manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}
Bitlocker Drive Encryption: Configuration Tool version 6.1.7600 Copyright (C) Microsoft Corporation. All rights reserved. Recovery information was successfully backed up to Active Directory.
Copy the below text and then save it as .vbs file.
Option Explicit Dim strNumericalKeyID Dim strManageBDE,strManageBDE2 Dim oShell Dim StrPath Dim StdOut, strCommand Dim Result, TPM, strLine Dim Flag, NumericalKeyID Set oShell = CreateObject("WSCript.Shell") '==================================================================================== 'This section looks for the Bitlocker Key Numerical ID strManageBDE = "Manage-BDE.exe -protectors -get c:" 'Bitlocker command to gather the ID Flag = False Set Result = oShell.Exec(strManageBDE)'sees the results and places it in Result Set TPM = Result.StdOut 'Sets the variable TPM to the output if the strManageBDe command While Not TPM.AtEndOfStream strLine = TPM.ReadLine 'Sets strLine If InStr(strLine, "Numerical Password:") Then ' This section looks for the Numerical Password Flag = True End If If Flag = True Then If InStr(strLine, "ID:") Then 'This section looks for the ID NumericalKeyID = Trim(strLine)' This section trims the empty spaces from the ID {} line NumericalKeyID = Right(NumericalKeyID, Len(NumericalKeyID)-4) Flag = False 'Stops the other lines from being collected End If End If Wend strManageBDE2 = "Manage-BDE.exe -protectors -adbackup C: -ID " & NumericalKeyID oShell.Run strManageBDE2, 0, True 'Runs the Manage-bde command to move the numerical ID to AD.
Option Explicit
Dim strNumericalKeyID Dim strManageBDE,strManageBDE2 Dim oShell Dim StrPath Dim StdOut, strCommand Dim Result, TPM, strLine Dim Flag, NumericalKeyID
Set oShell = CreateObject("WSCript.Shell")
'==================================================================================== 'This section looks for the Bitlocker Key Numerical ID
strManageBDE = "Manage-BDE.exe -protectors -get c:" 'Bitlocker command to gather the ID
Flag = False
Set Result = oShell.Exec(strManageBDE)'sees the results and places it in Result
Set TPM = Result.StdOut 'Sets the variable TPM to the output if the strManageBDe command
While Not TPM.AtEndOfStream strLine = TPM.ReadLine 'Sets strLine If InStr(strLine, "Numerical Password:") Then ' This section looks for the Numerical Password Flag = True End If If Flag = True Then If InStr(strLine, "ID:") Then 'This section looks for the ID NumericalKeyID = Trim(strLine)' This section trims the empty spaces from the ID {} line NumericalKeyID = Right(NumericalKeyID, Len(NumericalKeyID)-4) Flag = False 'Stops the other lines from being collected End If End If Wend
strManageBDE2 = "Manage-BDE.exe -protectors -adbackup C: -ID " & NumericalKeyID oShell.Run strManageBDE2, 0, True 'Runs the Manage-bde command to move the numerical ID to AD.
Execute the script from command line and it will back up the recovery password to AD.
Disclaimer © 2010 Microsoft Corporation. All rights reserved. Sample scripts in this guide are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Disclaimer
© 2010 Microsoft Corporation. All rights reserved. Sample scripts in this guide are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Now if you go to AD, and check the client computer you should see msFVE-RecoveryInformation for this client computer.
For more information on Group Policies for Bitlocker, see my blog below. http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx
Manoj Sehgal Senior Support Engineer Microsoft Enterprise Platforms Support
Very informative thanks for sharing.
Thanks Manoj,
Any way to get only the IDs returned in an array, to build a script around it? There's a really nice vbs on the MS site that will enable the TPM and Bitlocker and store the keys. http://go.microsoft.com/fwlink/?LinkID=151997
But as far as I can tell, if it finds the drive is bitlocker enabled already, it doesnt check to see if the recovery key is in AD and put it there if not.
I might like to try to modify it to do so.
Very helpful. However, I've run into a similar situation where I'm migrating BitLocker enabled machines into a new domain, but the version of manage-bde that comes with Vista does not appear to support the -adbackup parameter. Is there some alternative way of forcing the recovery key to back up to AD for Vista?
Found my own answer. For Vista machines that aren't backing up the recovery password to AD, the following two commands will regenerate the recovery password and trigger the backup to AD.
manage-bde -protectors -delete c: -type recoverypassword
manage-bde -protectors -add c: -recoverypassword
Hi Guys,
I have a Vista machine and im suffering from the same problem.
i tried rufferto's suggestions, but now i get an error when i try to add a recovery password:
ERROR: There was an error while trying to add a Numerical Password protector (code 0x8007054B)
Any suggestions?
I've seen the same error message on a W2K8 server that was configured to save the recovery key and the recovery package to AD DS. After removing the policy I was able to encrypt the volume.
Hi,
Does anybody knows is there a way to manually store the TPM Owner Information (msTPM-OwnerInformation attribute) to AD DS using script or command line?
Hi Manoj,
this is a top-article! Really super useful information and great vbs. I just used your script to update all bitlocker keys via SCCM in our environment.
Thanks again!
Christophe
I got the Bitlocker info up and I know the attribute for msTPM Ownership is correct + permissions set but which ID should be used to push TPM up to AD?
how to Export ALL Bitlocker Recovery Keys from Microsoft Windows Active Directory
I would really appreciate if CVOS or someone else could tell me how to use SCCM to update all the BitLocker Keys
how do you manually backup the msTPM Ownership info ? I found the only way to get the msTPM Ownership into active directory after a computer has been encrypted is to suspend bitlocker then clear the tpm. Only then does tpm reinitialize and write the msTPM Ownership to active directory