Compartilhar via

How to backup recovery information in AD after BitLocker is turned ON in Windows 7

  • Artigo

Hello,

My name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “How to backup recovery information in Active Directory (AD) after Bitlocker is turned ON in Windows 7 and above.”

In this blog, I will try to answer a common question asked to us often, ‘How do I save the bitlocker recovery information to Active Directory after bitlocker is enabled?’.

This situation can arise when any of the following conditions are true, but is also not limited to this list:

  1. The machine was bitlocker’ed prior to domain join.
  2. The machine was not connected to the network when bitlocker was enabled, hence the recovery information couldn’t be saved to AD-DS.
  3. Group policy setting to save the recovery information to AD was not enabled at the time of encryption.

To solve this situation, you can use manage-bde.exe command from the client machine to save the recovery information in AD. You do not need to decrypt and re-encrypt the drive to store the recovery information in AD.

Before you use the command line, verify that the client machine has received the group policy setting to save the information to AD. You could review the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE on the client machine for below values:

  • To allow backup of recovery information for operating system drives to AD, the value OSActiveDirectoryBackup should be set to 1.
  • To allow backup of recovery information for fixed data drives to AD, the value FDVActiveDirectoryBackup should be set to 1.
  • To allow backup of recovery information for removable data drives to AD, the value RDVActiveDirectoryBackup should be set to 1.

If these values are not set, you won’t be able to backup the recovery information of respective drive type to AD. In that case verify that the group policy to backup information to AD is configured as per the blog (https://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx). Also, ensure that bitlocker group policies are actually applied to the OU, the client is a member of, and the group policy has replicated to the domain controller from which the client receives group policy.

After the group policy is successfully applied on the client machine, open an elevated command prompt and run the below command.

Note: You require local admin rights to run manage-bde commands.**

STEP 1: Get the ID for the numerical password protector of the volume, in the example below we are using the C: drive:

manage-bde -protectors -get c:

Example:

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume C: [Old Win7]
All Key Protectors
    External Key:
      ID: {F12ADB2E-22D5-4420-980C-851407E9EB30}
      External Key File Name:
        F12ADB2E-22D5-4420-980C-851407E9EB30.BEK

    Numerical Password:
      ID: {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}
      Password:
        224631-534171-438834-445973-130867-430507-680922-709896

    TPM And PIN:
      ID: {EBAFC4D6-D044-4AFB-84E3-26E435067AA5}

In the above result, you would find an ID and Password for Numerical Password protector.

STEP 2: Use the numerical password protector’s ID from STEP 1 to backup recovery information to AD

In the below command, replace the GUID after the -id with the ID of Numerical Password protector.

manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Recovery information was successfully backed up to Active Directory.

You should now be able to view the recovery information for the volume in the active directory.

For more information on active directory backup of bitlokcer recovery information refer to the TechNet article: https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

In case you have to backup information for multiple machines, you may use the attached sample VBScript which automates backup of recovery information for all encrypted volumes, on the machine.

You may execute the attached script from an elevated command window.

For Example: cscript BDEAdBackup.vbs

This script writes logging information to C:\WINDOWS\TEMP\BDEAdBackup.log file.

Disclaimer:**

© 2013 Microsoft Corporation. All rights reserved. Sample script provided in this blog is not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. **

We hope this blog helped you understand and address the situation. 

 

BDEAdBackup.vbs

Comments

  • Anonymous
    January 01, 2003
    Very informative thanks for sharing.
  • Anonymous
    January 01, 2003
    I noticed slight problem with the script - even if it cannot store recovery key to AD (I had GPO miss configured), the script does return succsess code. Only in log file the reason can be read. But if I deploy this with the SCCM, there will be 100% success deployment, even if it fail to write key to AD.
  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    January 01, 2003
    Thanks Manoj,Any way to get only the IDs returned in an array, to build a script around it?  There's a really nice vbs on the MS site that will enable the TPM and Bitlocker and store the keys. http://go.microsoft.com/fwlink/?LinkID=151997But as far as I can tell, if it finds the drive is bitlocker enabled already, it doesnt check to see if the recovery key is in AD and put it there if not.I might like to try to modify it to do so.
  • Anonymous
    January 01, 2003
    If have also had a problem with the BDEAdBackup.vbs script. Im my case the client had volume C: encrypted but not other volumes like D: or E:. Thats why i got an error like this:
    bdeadbackup.vbs(68, 21) Microsoft VBScript runtime error: Subscript out of range: '[number: 0]'

    As a workaround I included a check if the volume is protected by Bitlocker - Code snippet:

    For Each evol In EncryptedVols
    ...
    'See if the volume is locked or not. If the Volume is Locked, we cannot backup information to AD-DS.
    ....
    If evol.ProtectionStatus = 1 Then
    ...
    Else
    objFile.WriteLine "Volume is no protected."
    End If
    Next

    Now you can simply run it as a scheduled task for each client every day if your domain is connected.

    Bests
    Christoph
  • Anonymous
    January 01, 2003
    Christoph, would you mind pasting your version in, I can't figure out where o put your code?
  • Anonymous
    June 24, 2010
    Very helpful.  However, I've run into a similar situation where I'm migrating BitLocker enabled machines into a new domain, but the version of manage-bde that comes with Vista does not appear to support the -adbackup parameter.  Is there some alternative way of forcing the recovery key to back up to AD for Vista?    
  • Anonymous
    July 13, 2010
    Found my own answer.  For Vista machines that aren't backing up the recovery password to AD, the following two commands will regenerate the recovery password and trigger the backup to AD.  manage-bde -protectors -delete c: -type recoverypasswordmanage-bde -protectors -add c: -recoverypassword
  • Anonymous
    October 04, 2010
    Hi Guys,I have a Vista machine and im suffering from the same problem.i tried rufferto's suggestions, but now i get an error when i try to add a recovery password:ERROR: There was an error while trying to add a Numerical Password protector (code 0x8007054B)Any suggestions?
  • Anonymous
    December 15, 2010
    I've seen the same error message on a W2K8 server that was configured to save the recovery key and the recovery package to AD DS. After removing the policy I was able to encrypt the volume.
  • Anonymous
    January 11, 2012
    Hi Manoj,this is a top-article! Really super useful information and great vbs.  I just used your script to update all bitlocker keys via SCCM in our environment.Thanks again!Christophe
  • Anonymous
    January 20, 2012
    I got the Bitlocker info up and I know the attribute for msTPM Ownership is correct + permissions set but which ID should be used to push TPM up to AD?
  • Anonymous
    July 04, 2012
    how to Export ALL Bitlocker Recovery Keys from Microsoft Windows Active Directory
  • Anonymous
    November 28, 2012
    I would really appreciate if CVOS or someone else could tell me how to use SCCM to update all the BitLocker Keys
  • Anonymous
    March 01, 2013
    how do you manually backup the msTPM Ownership info ? I found the only way to get the msTPM Ownership into active directory after a computer has been encrypted is to suspend bitlocker then clear the tpm. Only then does tpm reinitialize and write the msTPM Ownership to active directory
  • Anonymous
    September 30, 2013
    The comment has been removed
  • Anonymous
    December 11, 2013
    HI can we discuss more on this bitlocker
  • Anonymous
    June 20, 2014
    Really nice, consice and useful
  • Anonymous
    June 23, 2014
    When we use this command manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E} we receive the error parameter "ID" requires an argument. We were hoping to use this to populate the Bitlocker recover tab in AD for encrypted machines that did not populate the recovery key in AD.
    • Anonymous
      May 10, 2016
      Hi Brit, Make sure you are using an administrative command prompt and not a PowerShell prompt. I just had the same problem.
      • Anonymous
        February 14, 2017
        Thanks Iain. This solved my issue! Looks to be an issue where Powershell doesn't correctly identify multiple '-' in the numerical password and tries to parse each as a separate option/flag.
        • Anonymous
          March 21, 2017
          Hi David,How did you solve the above error? Can you please explain? am receiving this error even in administrator mode.Please help
          • Anonymous
            June 30, 2017
            Kiran, he numerical key needs single quotes around it.
          • Anonymous
            October 18, 2017
            In other words the arguement needs to be manage-bde -protectors -adbackup c: -id "{YOUR ID HERE}"
  • Anonymous
    July 06, 2014
    Hi

    Do you have a MDT version of the BDEAdBackup script?
  • Anonymous
    August 08, 2014
    The comment has been removed
  • Anonymous
    October 24, 2014
    Has there been any movement on how to automate this Domain-wide? I have several machines that were joined to the domain before enabling BitLocker Recovery or were added to the wrong OU and therefore never had the GPO applied. I'd like to add their BitLocker keys to AD, but I cannot go to every machine and run the script (many of the machines are overseas). Anyone know how to automate this process?
  • Anonymous
    February 06, 2015
    Nice, but you have forgot one thing, what is if ?
    If show only information about external key and external key file name, and nothing else.
    What will you do in this case? But when you need the recovery key and you can not use the password ?
    If you are realy the expert in bitlocker then you have the solution if not, let me know, my e-mail is vijay123@hotmail.de i will wait to your answer^^
  • Anonymous
    February 12, 2015
    AFTER All Key Protectors IT IS SHOWING NO PROTECTOR FOUND ...PLZZZZZZZZZZZZZZZZZZZZZ SUGGEST
  • Anonymous
    September 24, 2015
    When using BitLocker2go and automatically uploading recovery info to AD, how do I solve the problem should a user get a replacement device & their OLD computer object in AD gets purged (through standard cleanup process)? In other words, we need to be able to re-write the recovery key data from existing encrypted removable media once used on a new device.
    Thanks!
  • Anonymous
    April 05, 2016
    I visit everyday a few sites and websites to read articles, however this weblog provides feature baseed articles.
  • Anonymous
    June 17, 2016
    For anyone interested, here's a batch routine that does this automagically:@Echo offIf Not Exist C:\temp mkdir C:\tempmanage-bde -protectors -get C: | findstr /N /R "ID: "| findstr /B "8:" > c:\temp\blid.txt echo ------------------------------------for /F "tokens=3" %%a IN (c:\temp\blid.txt) do set BLID=%%a echo Bitlocker ID: %BLID%echo manage-bde -protectors -adbackup C: -id %BLID%echo ------------------------------------del c:\temp\blid.txt
  • Anonymous
    July 05, 2016
    I was able to make a fairly simple script in powershell to accomplish this, thanks for the article, was just what i was looking for.See below for script I put together.$Key = manage-bde -protectors -get C:$Key = ([string]$key -replace " ","" -split "rn" | where {$_ -match "ID:..*"})$key = $key[1] -replace "ID:",""manage-bde -protectors -adbackup -id $key
  • Anonymous
    September 28, 2016
    The comment has been removed
  • Anonymous
    April 14, 2017
    The GetEncryptedVolumes return all EncryptableVolumes even those whom are not encrypted.So within the BackupADDS function I added additional sub condition to be sure that the volume is encrypted before try to backup anything.> If evol.ProtectionStatus = 1 ThenPrivate Function BackupADDS(ByVal EncryptedVols)'On Error Resume Next Dim evol, vLockStat, vProtectID objFile.WriteLine "Starting To backup recovery infromation to AD-DS for bitlocker enabled volume(s)" For Each evol In EncryptedVols WScript.Echo "Processing Volume: " & evol.DriveLetter WScript.Echo "ProtectionStatus: " & evol.ProtectionStatus 'Check that the ProtectionStatus is 1 means : The volume is fully encrypted and the encryption key for the volume is not available in the clear on the hard disk. > https://msdn.microsoft.com/en-us/library/windows/desktop/aa376483(v=vs.85).aspx If evol.ProtectionStatus = 1 Then 'See if the volume is locked or not. If the Volume is Locked, we cannot backup information to AD-DS. objFile.WriteLine "Checking if the volume is unlocked." Dim VolLockStat : VolLockStat = evol.GetLockStatus(vLockStat) Select Case vLockStat Case 0 objFile.WriteLine "Volume is unlocked, getting the protector ID for numerical password." Dim GetProtect: GetProtect = evol.GetKeyProtectors(3, vProtectID) If GetProtect 0 Then objFile.WriteLine "Error getting ID for numerical password protector of volume " & evol.DriveLetter & ", " & GetProtect objFile.WriteLine "Error Returned: " & Err.Number & ", " & Err.Description Else objFile.WriteLine "Backing up information to AD-DS." WScript.Echo "vProtectID(0):" & vProtectID(0) Dim BkpStat : BkpStat = evol.BackupRecoveryInformationToActiveDirectory(vProtectID(0)) If BkpStat 0 Then objFile.WriteLine "Backup to AD-DS failed for volume " & evol.DriveLetter objFile.WriteLine "Error Returned: " & Err.Number & ", " & Err.Description Else objFile.WriteLine "Backup to AD-DS successful for volume " & evol.DriveLetter End If End If Case 1 'try to disable the key protectors so that we can access the drive objFile.WriteLine "Volume is locked, cannot backup recovery information to AD-DS." End Select End If Next Err.clearEnd Function
  • Anonymous
    June 30, 2017
    This article is inaccurate. There needs to be single quotes around the numerical password ID. EX: manage-bde -protectors -adbackup c: -id '{DFB478E6-8B3F-4DCA-9576-C1905B49C71E}'
    • Anonymous
      August 29, 2017
      If you do it via powershell something like enter-pssession or invoke-command machinename, etc then you need quates.But if you do it via CMD, then it works just fine without quates.
  • Anonymous
    November 19, 2017
    Great info on how to turn it on. But my question is, we have a 3rd party software that manages the keys, and we are in the early stage of upgrading to Win10. When we try to delete the computer in the AD prior to doing a image, we are seeing that BitLocker has stored a key in the AD as we see this as an object msFVE-RecoveryPassword. It is happening randomly. Is there an easy way to reversing it so for the devices that have it appearing in the AD, that it can be removed before we try to delete it? I've been told that we don't have a policy setup to do this in our environment.
  • Anonymous
    January 29, 2018
    Is it possible to store the BitLocker Recovery Key on a RODC?