none
TPM 2.0 Windows Enterprise LTSC 1809 no way to get recovery key RRS feed

  • Question

  • Hello-

    TPM is enabled, version 2.0, all the options in bios are enabled. I cannot encrypt my drive with the manage bitlocker GUI, throws an error "bitlocker cannot be started". I started the bitlocker service that was stopped, made it automatic, rebooted but still get the same error. I can encrypt the drive from the command line and that works. However there is no way to retrieve a recovery key. The GUI doesn't have a print or get recovery key option and when I do 

    manage-bde -protectors c: -get, there is no password. 

    Using a standalone windows 10 enterprise LTSC build 1809, not in a domain. Freshly imaged, fully patched.

    have no clue where to go from here.

    Please help.

    Friday, May 3, 2019 1:47 PM

Answers

  • On domains, the admin should use the GPO which does not let users encrypt if recovery key creation and saving to AD fails. Just for your information.

    --

    Now, you should use the command line to create a recovery key:

    manage-bde -protectors -add c: -rp

    then backup the key to ad using

    for /f "tokens=1,2" %a in ('manage-bde -protectors -get C: -Type recoverypassword ^| findstr ID') do manage-bde -protectors -adbackup c: -id %b

    Friday, May 3, 2019 3:21 PM

All replies

  • On domains, the admin should use the GPO which does not let users encrypt if recovery key creation and saving to AD fails. Just for your information.

    --

    Now, you should use the command line to create a recovery key:

    manage-bde -protectors -add c: -rp

    then backup the key to ad using

    for /f "tokens=1,2" %a in ('manage-bde -protectors -get C: -Type recoverypassword ^| findstr ID') do manage-bde -protectors -adbackup c: -id %b

    Friday, May 3, 2019 3:21 PM
  • I will try thank you. For stand alone machines is it correct to say that the only way to manage bitlocker is via command line?

    Friday, May 3, 2019 3:27 PM
  • Standalone machines can be managed with local GPOs, but people rarely do that but instead do things manually.

    The local group policy editor is gpedit.msc

    You would not need commands, no - the user interface lets you create recovery keys by default. I have no idea what caused your error.

    Sunday, May 5, 2019 11:38 AM