none
BitLocker To Go backing recovery key into AD RRS feed

  • Question

  • Hi

    I have implemented BitLocker To Go at our company through GPO and recovery keys are backed up into AD DS to the computer object. I am now looking for a way to migrate these recovery keys to an other computer object as we are currently refreshing our workstations.

    I have been trying to write a PowerShell script to backup the recovery key into AD when the removable drive is connected and unlocked on the new computer. You can retrieve the ID of the removable drive by the below cmdlet.

    manage-bde -protectors F: -get

    I am then trying to backup the recovery key using the below cmdlet.

    manage-bde -protectors -adbackup F: -id {<id>}

    This returns an error.

    ERROR: Parameter "-ID" requires an argument.

    Any ideas? Does this cmdlet only work for internal disks? Is there a better approach to migrate recovery keys to a new computer?

    Thanks!


    Friday, November 18, 2016 1:39 PM

Answers

  • Please explain why it shows "{*}" - did you exchange your ID for "*"?

    You don't need to require a RP through GPO. As long as you enforce the backup to AD, a recovery key will be created anyway and that is what we do. I tested it, I can exchange my recovery key using the 2 commands anytime.

    "The second cmdlet does work but I need to rework it to do that for all attached drives" - sure, you'll have to pay for it someday. You could do it scripted. Assign a GPO to all win2Go OS' that use a startup script or scheduled task - as simple as that.

    "Preferably there would have been a way..." sure, but there isn't. We cannot migrate keys from one AD object to the next.

    Friday, November 18, 2016 4:52 PM

All replies

  • Glenn, why migrate?

    When you encrypt a new workstation, new keys get generated - no way around. You cannot reuse old keys.

    If however you have a harddrive c: and d: on a computer named "example", and you format just c: to reinstall windows and keep d: AND name the computer again "example" and join it to the same domain, the computer object will retain its key for d: - the key for c: is kept, too, but useless, since c: has been formatted. A new key for c: will be backed up to AD as soon as you encrypt, however.

    I hope this was understandable. NO need for action UNLESS you reinstall AND call it a different name AND keep non-OS partitions alive. In that case, I would remove the recovery key of d:

    manage-bde -protectors -delete d: -type recoverykey

    and add one again:

    manage-bde -protectors -add d: -rp


    Friday, November 18, 2016 2:48 PM
  • Hi Ronald

    Thanks for your answer but please note that I was talking about BitLocker To Go.

    Our users are enforced to encrypt removable storage devices before writing data to them, during the encryption process the recovery key is written to the computer object in AD.

    We are currently refreshing our workstations and we do not use the same name for their new workstation. Therefore the recovery keys need to be transferred from their old workstations' AD object to their new workstations' AD object.


    Friday, November 18, 2016 3:19 PM
  • Ok.

    We also use Bl2Go. BL2Go is an installation of its own, it does not depend on a host system. So the keys for BL2Go should be created and saved to AD when the BL2Go drive is started and encrypted, not while it's connected to the machine that sets it up.

    Friday, November 18, 2016 3:24 PM
  • Hi Ronald

    The recovery key for removable storage devices is indeed backed up into the computer object in AD where the encryption process was started. 

    Now that computer object will be deleted when the user is receives a new workstation with a different name, the user will still need the recovery keys that were written to the computer object in AD of his old computer. That recovery key needs to be transferred to the computer object in AD of his new computer.

    Users will not be encrypting their removable storage devices again on the new workstation.

    Friday, November 18, 2016 3:58 PM
  • I see. Proceed like this: boot the win2go, execute the two commands from above, that's all.

    manage-bde -protectors -delete c: -type recoverypassword

    manage-bde -protectors -add c: -rp

    (please note that I corrected a typo: it needs to be -type recoverypassword, not recoverykey).

    That's all, your new Recovery key gets generated and saved to AD.


    Friday, November 18, 2016 4:05 PM
  • Hi Ronald

    I cannot delete a protector as it is required by GPO.

    Key protector with ID "{*}" deleted.ERROR: An error occurred while deleting the key protector.Group Policy settings require the creation of a recovery password.
    The second cmdlet does work but I need to rework it to do that for all attached drives. Preferably there would have been a way to do this without having to connect the devices and unlocking them and I could just migrate the keys from one computer object to another.

    Friday, November 18, 2016 4:24 PM
  • Please explain why it shows "{*}" - did you exchange your ID for "*"?

    You don't need to require a RP through GPO. As long as you enforce the backup to AD, a recovery key will be created anyway and that is what we do. I tested it, I can exchange my recovery key using the 2 commands anytime.

    "The second cmdlet does work but I need to rework it to do that for all attached drives" - sure, you'll have to pay for it someday. You could do it scripted. Assign a GPO to all win2Go OS' that use a startup script or scheduled task - as simple as that.

    "Preferably there would have been a way..." sure, but there isn't. We cannot migrate keys from one AD object to the next.

    Friday, November 18, 2016 4:52 PM