none
Export BitLocker Recovery key using Server core 2008 R2 and Manage-bde

    Question

  • Hello,

    I need to be able to save/export the Bitlocker Recovery keys from Server Core 2008 R2 to a network share.

    The problem I have is that we cannot save it to AD as we would prefer to do and we would like to export the Bitlocker Recovery Keys to a network share.

    I deployed the OS using MDT using the following entries into customsettings.ini (from the Bitlocker reference section on Technet).

    SkipBitlocker=NO

    BDEDriveLetter=S:

    BDEDriveSize= 300

    BDEInstall=TPM

    BDERecoveryKey=TRUE

    BDERecoveryPassword=TRUE

    BDERequired=YES

    BDEKeyLocation=\\servername\share$

    Everything appears to have worked as expected apart from the fact I have no recovery key in my network share and I have no idea what my recovery password is!

    I have been looking at manage-bde -protectors     ...this may be what I need so I can add? recovery key/password but would this be in addition to what is already there or instead of?

    Any suggestsions - I am confused!

    thanks

    Andy

    Friday, February 10, 2012 10:18 PM

Answers

  • Confusion over!

    I used manage-bde -protectors -get to view what was currently in use - which confirmed it was just TPM by itself.

    I then used -manage-bde -protectors -add -rk c: \\networkdrive\share (remember to show operating system files not just hidden files!).

    Basically I will strip out some of the commands from my customsettings.ini

    A lot of the information online appears to be out of date (a lot of it referring to using bitlocker.wsf) and even some of the error messages in core refer you to use tpm.msc in core which obviously doesn't work!

    The websites I found most useful apart from manage-bde -? etc (remember to use it at each level) were:

    http://technet.microsoft.com/en-us/library/cc732725(WS.10).aspx

    http://www.itechiez.com/sccm-2007/enable-bitlocker-on-ts/

    http://lorgor.blogspot.com/2009/11/of-bitlocker-and-tpms.html

    My understanding of BitLocker from the command line is now much better than it was 48hrs ago!
    • Marked as answer by Andrew_ Sunday, February 12, 2012 9:45 PM
    Sunday, February 12, 2012 9:45 PM

All replies

  • I chose not to save a recovery key at the BDEWelcome Screen - does that mean it hasnt created a recovery key or a recovery password?

    Here is my manage-bde -status

    Bitlocker drive encryption:

    Volume C: [osdisk]

    [os volume]

    size : 231gb

    Bitlocker version: Windows 7

    Conversion status: Fully encrypted

    Percentage encrypted: 100%

    Encryption Method: AES 128 with diffuser

    Protection Status: Protection on

    Lock status: Unlocked

    Identification Field: None

    Key Protectors: TPM

    Will I be better off decrypting the host and encrypting it again from the command line saving recovery key to USB?


    • Edited by Andrew_ Sunday, February 12, 2012 11:48 AM
    Saturday, February 11, 2012 5:30 PM
  • Confusion over!

    I used manage-bde -protectors -get to view what was currently in use - which confirmed it was just TPM by itself.

    I then used -manage-bde -protectors -add -rk c: \\networkdrive\share (remember to show operating system files not just hidden files!).

    Basically I will strip out some of the commands from my customsettings.ini

    A lot of the information online appears to be out of date (a lot of it referring to using bitlocker.wsf) and even some of the error messages in core refer you to use tpm.msc in core which obviously doesn't work!

    The websites I found most useful apart from manage-bde -? etc (remember to use it at each level) were:

    http://technet.microsoft.com/en-us/library/cc732725(WS.10).aspx

    http://www.itechiez.com/sccm-2007/enable-bitlocker-on-ts/

    http://lorgor.blogspot.com/2009/11/of-bitlocker-and-tpms.html

    My understanding of BitLocker from the command line is now much better than it was 48hrs ago!
    • Marked as answer by Andrew_ Sunday, February 12, 2012 9:45 PM
    Sunday, February 12, 2012 9:45 PM