Friday, February 10, 2012 10:18 PM
I need to be able to save/export the Bitlocker Recovery keys from Server Core 2008 R2 to a network share.
The problem I have is that we cannot save it to AD as we would prefer to do and we would like to export the Bitlocker Recovery Keys to a network share.
I deployed the OS using MDT using the following entries into customsettings.ini (from the Bitlocker reference section on Technet).
Everything appears to have worked as expected apart from the fact I have no recovery key in my network share and I have no idea what my recovery password is!
I have been looking at manage-bde -protectors ...this may be what I need so I can add? recovery key/password but would this be in addition to what is already there or instead of?
Any suggestsions - I am confused!
Saturday, February 11, 2012 5:30 PM
I chose not to save a recovery key at the BDEWelcome Screen - does that mean it hasnt created a recovery key or a recovery password?
Here is my manage-bde -status
Bitlocker drive encryption:
Volume C: [osdisk]
size : 231gb
Bitlocker version: Windows 7
Conversion status: Fully encrypted
Percentage encrypted: 100%
Encryption Method: AES 128 with diffuser
Protection Status: Protection on
Lock status: Unlocked
Identification Field: None
Key Protectors: TPM
Will I be better off decrypting the host and encrypting it again from the command line saving recovery key to USB?
- Edited by Andrew_ Sunday, February 12, 2012 11:48 AM
Sunday, February 12, 2012 9:45 PMConfusion over!
I used manage-bde -protectors -get to view what was currently in use - which confirmed it was just TPM by itself.
I then used -manage-bde -protectors -add -rk c: \\networkdrive\share (remember to show operating system files not just hidden files!).
Basically I will strip out some of the commands from my customsettings.ini
A lot of the information online appears to be out of date (a lot of it referring to using bitlocker.wsf) and even some of the error messages in core refer you to use tpm.msc in core which obviously doesn't work!
The websites I found most useful apart from manage-bde -? etc (remember to use it at each level) were:
My understanding of BitLocker from the command line is now much better than it was 48hrs ago!
- Marked As Answer by Andrew_ Sunday, February 12, 2012 9:45 PM