Microsoft

Technologies
Documentation
Resources
Sign in
Search Microsoft
Windows IT Center
Explore
Docs
Downloads
Scripts
Support
Security and Protection BitLocker Drive Encryption BitLocker Drive Encryption De
ployment Guide for Windows 7
Best Practices for BitLocker in Windows 7
Planning to Deploy Windows 7 BitLocker Drive Encryption
Unlocking Removable Drives on Windows XP and Windows Vista
Backing Up BitLocker and TPM Recovery Information to AD DS
Verify BitLocker and TPM Schema Objects
BitLocker Recovery Password Viewer for Active Directory
Using Certificates with BitLocker
Using Smart Cards with BitLocker
Using Data Recovery Agents with BitLocker
Enabling BitLocker by Using the Command Line
Using the BitLocker Drive Preparation Tool for Windows 7
Enabling BitLocker by Using a WMI Script
Auditing BitLocker Deployments
BitLocker Deployment Guide: Appendices
Backing Up BitLocker and TPM Recovery Information to AD DS
Updated: July 10, 2014
Applies To: Windows 7, Windows Server 2008 R2
You can configure BitLocker Drive Encryption to back up recovery information for
BitLocker-protected drives and the Trusted Platform Module (TPM) to Active Dire
ctory Domain Services (AD DS). Recovery information includes the recovery passwo
rd for each BitLocker-protected drive, the TPM owner password, and the informati
on required to identify which computers and drives the recovery information appl
ies to. Optionally, you can also save a package containing the actual keys used
to encrypt the data as well as the recovery password required to access those ke
ys.
Using AD DS to store BitLocker recovery information
Backing up recovery passwords for a BitLocker-protected drive allows administrat
ors to recover the drive if it is locked. This ensures that encrypted data belon
ging to the enterprise can always be accessed by authorized users.
Backing up the TPM owner information for a computer allows administrators to loc
ally and remotely configure the TPM security hardware on that computer. As an ex
ample, an administrator might want to reset the TPM to factory defaults when dec
ommissioning or repurposing computers.
In a default BitLocker installation, recovery information is not backed up and l
ocal users must be responsible for keeping a copy of the recovery password or re
covery key. If the user loses that information or neglects to decrypt the drive
before leaving the organization, the administrator cannot easily get access to t
he drive. To mitigate this situation, administrators can configure Group Policy
settings to enable backup of BitLocker and TPM recovery information. Before conf
iguring these settings, as a domain administrator you must ensure that the Activ
e Directory schema has the necessary storage locations and that access permissio
ns have been granted to perform the backup.
You should also configure AD DS before configuring BitLocker on client computers
. If BitLocker is enabled first, recovery information for those computers will n
ot be automatically added to AD DS. If necessary, recovery information can be ba
cked up to AD DS after BitLocker has been enabled by using either the Manage-bde
command-line tool or the BitLocker Windows Management Instrumentation (WMI) pro
vider. For more information about the WMI provider, see the MSDN topic BackupRec
overyInformationToActiveDirectory Method of the Win32_EncryptableVolume Class (h
ttp://go.microsoft.com/fwlink/?LinkId=167132).
ImportantImportant
You can save recovery information in AD DS if your domain controllers are runnin
g Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows
Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save
recovery information in AD DS if the domain controller is running a version of
Windows Server earlier than Windows Server 2003 with SP1.
If you are running Windows Server 2008 R2 or Windows Server 2008, follow the sam
e process described for Windows Server 2003 with SP1 or later, with one exceptio
n: you do not need to update the schema as described later in this document.
ImportantImportant
You should perform the steps described in the following topics in a test or pre-
production environment prior to deploying to production environments.
Before you begin
Download and review the following sample scripts, which are used in the followin
g procedures to configure AD DS for backing up BitLocker recovery information:
Add-TPMSelfWriteACE.vbs (http://go.microsoft.com/fwlink/?LinkId=167133)
This script adds the access control entry (ACE) for the TPM to AD DS so that
the computer can back up TPM recovery information in AD DS.
List-ACEs.vbs (http://go.microsoft.com/fwlink/?LinkId=167134)
This script lists or removes the ACEs configured on BitLocker and TPM schema
objects for the top-level domain so that you can verify that the expected ACEs
have been added appropriately or to remove any ACEs related to BitLocker or the
TPM if necessary.
Get-TPMOwnerInfo.vbs (http://go.microsoft.com/fwlink/?LinkId=167135)
This script retrieves TPM recovery information from AD DS for a particular c
omputer so that you can verify that only domain administrators (or delegated rol
es) can read backed up TPM recovery information and verify that the information
is being backed up correctly.
Get-BitLockerRecoveryInfo.vbs (http://go.microsoft.com/fwlink/?LinkId=167136
)
This script retrieves BitLocker recovery information from AD DS for a partic
ular computer so that you can verify that only domain administrators (or delegat
ed roles) can read backed up BitLocker recovery information and verify that the
information is being backed up correctly.
noteNote
If you will use a domain controller running Windows Server 2003 with SP1 or SP2,
you will need to apply the schema extension (BitLockerTPMSchemaExtension.ldf) t
o store BitLocker and TPM passwords in Active Directory. This file can be downlo
aded from the Configuring Active Directory to Back up Windows BitLocker Drive En
cryption and Trusted Platform Module Recovery Information download page.
This topic includes the following sections:
Storing BitLocker recovery information in AD DS
Storing TPM recovery information in AD DS
Configuring AD DS
Testing your Active Directory configuration
Troubleshooting common problems with AD DS backup
Storing BitLocker recovery information in AD DS
Backed up BitLocker recovery information is stored in a child object of the comp
uter object. That is, the computer object is the container for a BitLocker recov
ery object.
Each BitLocker recovery object includes the recovery password and other recovery
information. More than one BitLocker recovery object can exist under each compu
ter object because multiple recovery passwords can be associated with a BitLocke
r-protected drive and multiple BitLocker-protected drives can be associated with
a computer.
The name of the BitLocker recovery object incorporates a globally unique identif
ier (GUID) and date and time information, for a fixed length of 63 characters. T
he form is:
<Object Creation Date and Time><Recovery GUID>
For example:
2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}
The common name (CN) for the BitLocker recovery object is ms-FVE-RecoveryInforma
tion. Each ms-FVE-RecoveryInformation object has the following attributes:
ms-FVE-RecoveryPassword
This attribute contains the 48-digit recovery password used to recover a Bit
Locker-protected drive. Users enter this password to unlock a drive when BitLock
er enters recovery mode.
ms-FVE-RecoveryGuid
This attribute contains the GUID associated with a BitLocker recovery passwo
rd. When in BitLocker's operating system drive recovery mode and when attempting
to recover a data drive from within the operating system, this GUID is displaye
d to the user so that the correct recovery password can be located to unlock the
 drive. This GUID is also included in the name of the recovery object.
ms-FVE-VolumeGuid
This attribute contains the GUID associated with a BitLocker-protected drive
.
While the password (stored in ms-FVE-RecoveryGuid) is unique for each recove
ry password, this drive identifier is unique for each BitLocker-protected drive.
ms-FVE-KeyPackage
This attribute contains a drive's BitLocker encryption key secured by the co
rresponding recovery password.
With this key package and the recovery password (stored in ms-FVE-RecoveryPa
ssword), you can decrypt portions of a BitLocker-protected drive if the disk is
corrupted. Each key package will work only for a drive that has the correspondin
g drive identifier (stored in ms-FVE-VolumeGuid). You must use the BitLocker Rec
overy Password Viewer to make use of this key package. For more information, see
BitLocker Recovery Password Viewer for Active Directory.
If you want to verify that your AD DS (or Active Directory) schema has the requi
red attributes to back up TPM and BitLocker recovery information, follow the ins
tructions in Verify BitLocker and TPM Schema Objects.
Storing TPM recovery information in AD DS
There is only one TPM owner password per computer. When the TPM is initialized o
r when this password is changed, the hash of the TPM ownership password gets bac
ked up as an attribute of the computer object.
The common name (CN) for the TPM attribute is ms-TPM-OwnerInformation.
Configuring AD DS
Complete the following tasks to configure AD DS to back up BitLocker and TPM rec
overy information.
Check general prerequisites
Ensure that the following prerequisites are met:
All domain controllers accessible by BitLocker-capable client computers are
running Windows Server 2003 with SP1 or SP2. On each domain controller, click St
art, right-click My Computer, and then click the General tab.
ImportantImportant
If the General tab lists Windows Server 2003 but no service pack information
, you need to install a service pack to be able to back up BitLocker recovery in
formation to AD DS. For more information, see Windows Server 2003 Service Packs
(http://go.microsoft.com/fwlink/?LinkID=43106).
The BitLocker and TPM schema extension marks selected attributes as "confide
ntial" by using the "searchFlags" property. The "confidential" flag is a feature
available in Windows Server 2003 with SP1 and later. With this feature, only do
main administrators and appropriate delegates have Read access to attributes mar
ked with the confidential flag.
BitLocker does not impose any requirements on domain or forest functional le
vels. However, domain controllers running operating systems earlier than Windows
Server 2003 with SP1 should be removed from mixed-functional-level environments
(or upgraded), because backed up BitLocker and TPM information will not be prot
ected on those domain controllers.
You have domain administrator privileges in the target forest or are using a
n account that has been granted appropriate permissions to extend the schema for
the target forest. Members of the Schema Admins groups are examples of accounts
that have the appropriate permissions.
You have obtained the following files:
BitLockerTPMSchemaExtension.ldf if you need to extend the Active Directo
ry schema.
Add-TPMSelfWriteACE.vbs to allow the computer account to back up the TPM
owner information to AD DS.
Extend the schema (Windows Server 2003 domain controllers only)
The following procedure extends the schema to allow information to be saved in A
ctive Directory.
ImportantImportant
If your domain controller is running Windows Server 2008 or Windows Server 2008
R2, you do not need to complete this procedure. These operating systems already
include the necessary schema extensions.
To extend the Active Directory schema with BitLocker and TPM attributes
Log on with a domain account in the Schema Admins group. This account must b
e used to extend the schema.
By default, the built-in Administrator account in the forest root domain is
part of the Schema Admins group. For more information, see the section "Granting
access rights to make schema changes" in How the Active Directory Schema Works
(http://go.microsoft.com/fwlink/?LinkID=79649).
Verify that your Windows Server installation enables schema updates.
In Windows Server 2003, Active Directory schema updates are enabled by defau
lt. For more information, including the steps required to enable schema updates,
see article 285172 in the Microsoft Knowledge Base (http://go.microsoft.com/fwl
ink/?LinkId=79644).
Verify that you have access to the domain controller that is the schema oper
ations master in the Active Directory forest. Schema updates can only be perform
ed at the schema operations master.
Download and review BitLockerTPMSchemaExtension.ldf from the Configuring Act
ive Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform
Module Recovery Information download page. (http://go.microsoft.com/fwlink/?Lin
kID=167137). This file contains the schema extension.
For reference information about schema extensions, see How the Active Direct
ory Schema Works (http://go.microsoft.com/fwlink/?LinkId=79649).
Use the Ldifde command-line tool to extend the schema on the domain controll
er that serves as the schema operations master. For example, to import the schem
a extension on a domain named nttest.microsoft.com, log on as a user in the Sche
ma Admins group, and then type the following at a command prompt:
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=micr
osoft,dc=com" -k -j .
 This command should be entered as one line. The trailing period (.) is part
of the command.
The use of -k suppresses "Object Already Exists" errors if the portions of t
he schema already exist. The use of -j . saves an extended log file to the curre
nt working directory.
For more information about Ldifde parameters, see article 237677 in the Microsof
t Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79650).
Set the required permissions for backing up TPM password information
The following procedure adds an access control entry (ACE) so that backing up TP
M recovery information is possible.
A client computer running Windows 7 can back up BitLocker recovery information u
nder the computer object's default permission. However, a client computer runnin
g Windows 7 cannot back up TPM owner information unless this additional ACE is a
dded.
Review the topic Default AD DS Permissions for a Computer Object, in the appendi
ces, to learn about the default AD DS permissions on the computer class object t
hat contains the BitLocker recovery information class and the TPM owner informat
ion attribute.
To add an ACE to allow TPM recovery information to be backed up
Download and review Add-TPMSelfWriteACE.vbs (http://go.microsoft.com/fwlink/
?LinkId=167133) from the download page.
Modify Add-TPMSelfWriteACE.vbs as appropriate for your environment.
Type the following at a command prompt, and then press ENTER:
cscript Add-TPMSelfWriteACE.vbs
This script adds a single ACE to the top-level domain object. The ACE is an inhe
ritable permission that allows SELF (the computer itself) to write to the ms-TPM
-OwnerInformation attribute for computer objects in the domain.
The sample script provided operates under the following assumptions:
You have domain administrator privileges to set permissions for the top-leve
l domain object.
Your target domain is the same as the domain for the user account running th
e script.
For example, running the script as TESTDOMAIN\admin will extend permissions
for TESTDOMAIN. You might need to modify the sample script if you want to set pe
rmissions for multiple domains but do not have domain administrator accounts for
each of those domains. Find the variable strPathToDomain in the script, and mod
ify it for your target domain. The following is an example:
"LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com"
Your domain is configured so that permissions inherit from the top-level dom
ain object to targeted computer objects.
Permissions will not go into effect if any container in the hierarchy does n
ot allow inherited permissions from the parent. By default, inheritance of permi
ssions is set by AD DS. If you are not sure whether your configuration differs f
rom this default, you can continue with the setup steps to set the permission. Y
ou can then verify your configuration as described later in this document, or by
clicking the Effective Permissions button while viewing the properties of a com
puter object, to check that SELF can write the msTPM-OwnerInformation attribute.
Configure Group Policy to enable backup of BitLocker and TPM recovery informatio
n in AD DS
These instructions are for configuring the local policy on a client computer run
ning Windows 7. In a production environment, you would likely edit a Group Polic
y object (GPO) that applies to computers in the domain instead.
For more information about configuring a GPO in a Windows Server 2008 domain, se
e the Group Policy Planning and Deployment Guide (http://go.microsoft.com/fwlink
/?LinkID=147296).
noteNote
We recommend that you keep the default options when you enable each Group Policy
setting. Be sure to read the Explain text before making any changes to understa
nd the impact of the different options.
There are two separate procedures in this section: one for configuring the polic
y setting that is applied to computers running Windows Vista or Windows Server 2
008 and the other for configuring the policy setting that is applied computers r
unning Windows 7 or Windows Server 2008 R2.
To enable the local policy settings to back up BitLocker and TPM recovery inform
ation to AD DS from computers running Windows Vista or Windows Server 2008
Log on to the computer with an account that has administrative credentials.
Click Start, type gpedit.msc in the Search programs and files box, and then
press ENTER to open the Local Group Policy Editor.
In the console tree under Computer Configuration\Administrative Templates\Wi
ndows Components, click BitLocker Drive Encryption.
In the details pane, double-click Store BitLocker recovery information in Ac
tive Directory (Windows Server 2008 and Windows Vista).
Click Enabled, and then configure the following settings as appropriate for
your environment:
Select Require BitLocker backup to AD DS if you want to prevent users fr
om enabling BitLocker on computers that are not currently able to connect to a d
omain controller. If this setting is not selected, BitLocker will attempt to sto
re recovery information in AD DS, but if it fails for any reason BitLocker will
still be enabled and the recovery information will not be present in AD DS for t
hat drive.
In Select BitLocker recovery information to store, select either Recover
y passwords and key packages or Recovery passwords only. Key packages are used w
ith the Repair-bde command-line tool to perform specialized recovery when the di
sk is damaged or corrupted. For more information, see the Repair-bde.exe Paramet
er Reference.
Click OK to apply the policy settings and close the dialog box.
In the console tree under Computer Configuration\Administrative Templates\Sy
stem, click Trusted Platform Module Services.
In the details pane, double-click Turn on TPM backup to Active Directory Dom
ain Services.
Click Enabled.
The Require TPM back to AD DS check box is selected by default. When this op
tion is selected, the TPM owner password cannot be set or changed unless the com
puter is connected to the domain and AD DS backup succeeds.
To enable the local policy settings to back up BitLocker and TPM recovery inform
ation to AD DS from computers running Windows 7 or Windows Server 2008 R2
Log on to the computer with an account that has administrative credentials.
Click Start, type gpedit.msc in the Search programs and files box, and then
press ENTER to open the Local Group Policy Editor.
In the console tree under Computer Configuration\Administrative Templates\Wi
ndows Components, click BitLocker Drive Encryption.
In the details pane, double-click the drive type subfolder either Operating Sy
stem Drive, Fixed Data Drive, or Removable Data Drive for which you want to store
recovery information in AD DS. Each drive type may have recovery information sto
red. The remainder of this procedure will use Fixed Data Drive as the example, b
ut each drive type follows the same configuration steps and includes the same se
tting options.
In the details pane, double-click Choose how BitLocker-protected fixed drive
s can be recovered.
Click Enabled, and then configure the following settings as appropriate for
your environment:
By default, Save BitLocker recovery information to Active Directory Doma
in Services is selected.
In Select BitLocker recovery information to store, select either Recover
y passwords and key packages or Recovery passwords only. Key packages are used w
ith the Repair-bde command-line tool to perform specialized recovery when the di
sk is damaged or corrupted. For more information, see the Repair-bde.exe Paramet
er Reference.
Select the Do not enable BitLocker until recovery information is stored
in AD DS for fixed data drives check box if you want to prevent users from enabl
ing BitLocker unless the computer is connected to the domain and the backup of B
itLocker recovery information to AD DS succeeds. When this setting is selected,
a recovery password is automatically generated.
Click OK to apply the policy settings and close the dialog box.
In the console tree under Computer Configuration\Administrative Templates\Sy
stem, click Trusted Platform Module Services.
Double-click Turn on TPM backup to Active Directory Domain Services.
Click Enabled.
The Require TPM back to AD DS check box is selected by default. When this op
tion is selected, the TPM owner password cannot be set or changed unless the com
puter is connected to the domain and AD DS backup succeeds.
Testing your Active Directory configuration
By joining the Windows 7 based client computers to the domain that you just config
ured and enabling BitLocker, you can test whether BitLocker and TPM recovery inf
ormation is backed up to AD DS successfully.
All user interfaces and programming interfaces within BitLocker and TPM Manageme
nt features will adhere to your configured Group Policy settings. When these set
tings are enabled, recovery information (such as recovery passwords) will be aut
omatically backed up to AD DS whenever this information is created and changed.
If you select the option to require backup, initializing the TPM or enabling Bit
Locker through any method is blocked until the backup succeeds. In that case, no
one will be allowed to turn on BitLocker or initialize the TPM unless the domai
n controller is configured correctly, the client computer has network connectivi
ty to the domain controller, and no other errors occur during the backup process
.
Testing the backup with Windows 7
You should use a client computer running Windows 7 to test the backup process.
BitLocker recovery information is backed up when you:
Create a recovery password during BitLocker setup, using the wizard availabl
e through the Control Panel.
Create a recovery password after the disk has already been encrypted, using
the Manage-bde.exe command-line tool.
TPM recovery information is backed up when you:
Set the TPM owner password during TPM initialization.
Change the TPM owner password.
Sample test scenario with Windows 7
This sample test scenario illustrates how to verify your Active Directory config
uration by using Windows 7. It uses the BitLocker Deployment Sample Scripts that
are available to download to assist in the test process.
ImportantImportant
You should perform additional tests as required to verify that everything is wor
king correctly in your environment; do not assume that this scenario will comple
tely test all aspects of your configuration.
Test scenarios can also vary based on your organization's policies. For example,
in organizations where users are the Creator Owner of computer objects that the
y join to the domain, it might be possible for these users to read the TPM owner
information for their own computer objects.
To perform the sample test
Log on to a domain controller as a domain administrator.
Copy the sample script files to a location accessible by both the domain con
troller and the client computers.
Open a Command Prompt window, and change the default location to the locatio
n of the sample script files.
At the command prompt, type the following:
 cscript List-ACEs.vbs
Expected result: Assuming that the default Add-TPMSelfWriteACE.vbs was used
and other deprecated ACEs have been removed, there is only one ACE related to Bi
tLocker and the TPM. The following is an example of the output:
Accessing
> AceFlags: 10
> AceType: 5
> Flags: 3
> AccessMask: 32
> ObjectType: {AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}
> InheritedObjectType: {BF967A86-0DE6-11D0-A285-00AA003049E2}
> Trustee: NT AUTHORITY\SELF
1 ACE(s) found in DC=nttest,DC=microsoft,DC=com related to BitLocker and TPM
Log on as a local administrator (non-domain administrator) to a Windows 7 base
d client computer that is a member of the domain.
Click Start, type tpm.msc in the Search programs and files box, and then pre
ss ENTER.
Click either the Initialize TPM or Change Owner Password link.
Set an owner password, and select the option to back up the information by p
rinting or saving to a file as needed.
Expected result: The action succeeds without an error message.
Using this same account, open an elevated Command Prompt window, and then ch
ange to the folder in which you have saved a copy of the sample scripts provided
with this document.
noteNote
To open an elevated Command Prompt window, click Start, click All Programs,
click Accessories, right-click Command Prompt, and then click Run as administrat
or.
At the command prompt, type the following:
cscript Get-TPMOwnerInfo.vbs
Expected result: The error "Active Directory: The directory property cannot
be found in the cache" appears. No information is displayed because a non-domain
administrator should not be able to read the ms-TPM-OwnerInformation attribute.
noteNote
If users are the Creator Owner of computer objects that they join to the dom
ain, it might be possible for these users to read the TPM owner information for
their own computer objects.
Log on as a domain administrator on the same client computer.
Using this domain administrator account, open an elevated Command Prompt win
dow, and change to the directory in which you have saved a copy of the sample sc
ripts provided with this document.
At the command prompt, type the following:
cscript Get-TPMOwnerInfo.vbs
Expected result: A string that is the hash of the password you created earli
er is displayed.
As a domain administrator, you should have Read access to the ms-TPM-OwnerIn
formation attribute.
At the elevated command prompt, type the following to turn on BitLocker and
create a recovery password:
manage-bde -on C: -RecoveryPassword
Expected result: The action succeeds without an error message.
After the drive has completed encryption, at the command prompt, type the fo
llowing to back up the recovery password to AD DS, replacing recoveryGUID with t
he full recovery key identification GUID of the recovery password you are storin
g in AD DS:
manage-bde -protectors -adbackup C: -id { recoveryGUID }
noteNote
The full recovery key identification GUID is printed when you print the BitL
ocker recovery key.
At the command prompt, type the following to read all BitLocker child object
s of the client computer's Active Directory object:
cscript Get-BitLockerRecoveryInfo.vbs
Expected result: One or more recovery passwords is displayed, including the
one created in the previous step.
A non-domain administrator will not be able to read these passwords.
Delete any created BitLocker recovery child objects by using Active Director
y tools such as the Active Directory Users and Computers snap-in. By default, cl
ient computers running Windows 7 do not have permissions to delete BitLocker rec
overy passwords.
Troubleshooting common problems with AD DS backup
The following section discusses some potential problems and their solutions.
Access permission problems
If you are able to read backed up BitLocker and TPM recovery information by usin
g a non domain administrator account, check that you are running supported install
ations of Windows Server on all the domain controllers in your network.
ImportantImportant
Domain controllers must be running Windows Server 2003 SP1 or SP2 to support bac
king up BitLocker and TPM recovery information.
Script errors
You might receive an error message when you run a script. The following sections
 explain the causes of and solutions for the most frequent script errors.
Get-TPMOwnerInfo.vbs
When running Get-TPMOwnerInfo.vbs, if an error appears stating "Active Directory
: The directory property cannot be found in the cache," it means that you are lo
gged on with an account that does not have permission to read the TPM owner info
rmation attribute object in AD DS.
General
If an error appears stating "The specified domain either does not exist or could
not be contacted," ensure that the computer is joined to the domain and that ne
twork connectivity is available.
If an error appears stating "There is no such object on the server," check that
any computer specified by name on the command line is currently connected to the
network.
If an error is accompanied by the line number in which the error occurred, consu
lt the script source code to assist in troubleshooting the issue.
Community Additions
ADD
Here's a little script I wrote
set backupID=FOO
REM Valid protector types: RecoveryPassword, ExternalKey, Certificate, TPM, TPMA
ndStartupKey, TPMAndPIN, TPMAndPINAndStartupKey, Password, Identity.
for /f "tokens=2 delims=: " %g IN ('manage-bde -protectors -get C: -type Recover
yPassword ^| find ^"ID:^"') DO @echo %g & set backupID=%g
if /I NOT %backupID%==FOO manage-bde -protectors -adbackup c: -id %backupID%
Just remember to change %g to %%g when putting it into a script.
Bill_the_pony
9/28/2016
Manage-bde -protectors -adbackup volume -id recovery-password-ID
Running this command true with the squiggly brackets is required.

manage-bde -protectors -adbackup c: -id {5E98567D-7A3E-43C5-BBAB-8B6CE48850CG}

saLa
1/1/2013
Operating system partition recovery information backup
It should probably be noted that allowing backup of recovery information for fix
ed disks does not include operating system partitions. To enable backup of recov
ery information for these there is a separate group policy setting that needs ch
anged.
saLa
1/1/2013
Manage-bde -protectors -adbackup volume -id recovery-password-ID
The manage-bde -protectors -adbackup volume -id doesn't work as illustrated abov
e. It will work however if you put {} brackets around the ID for the recovery pa
ssword ID. (eg)

manage-bde -protectors -adbackup f: -id {5E98567D-7A3E-43C5-BBAB-8B6CE48850CG}

saLa
1/1/2013
Skip a step: 15- back up the recovery password to AD DS
Not needed once you have enabled AD policies to back up Bitlocker recovery passw
ord.
Why back up the password manually when AD does it for you? Once you run the scri
pt on step 16, it will show the password

saLa
1/1/2013
Print
Export (0)
Share
Is this page helpful?
Popular
Windows Dev Center
Microsoft Azure
Microsoft Visual Studio
Office Dev Center
ASP.NET
IIS.NET
Learning Resources
Channel 9
Windows Development Videos
Microsoft Virtual Academy
Programs
App Developer Agreement
Windows Insider Program
Microsoft Affiliate Program
BizSpark (for startups)
Microsoft Imagine
For IT Pros
Microsoft Power BI
Microsoft SQL Server
Internet of Things
Operations Management Suite
Values
Diversity and inclusion
Accessibility
Microsoft in education
Microsoft philanthropies
Corporate social responsibility
Privacy at Microsoft
Company
Careers
About Microsoft
Company news
Investors
Research
Site map
 English (United States)?
Contact us Privacy & cookies Terms of use Trademarks About our ads 2017 Micr
osoft