Still seeking difference between Bitlocker recovery password....and key. RRS feed

  • Question

  • If I manually run Bitlocker on a pc on the domain, a recovery password gets written to AD in the properties of that pc.

    IF I run BL through MDT, the same...a recovery password is written to AD.
    However, through MDT I see a text file get written to C: which contains the "key". Looking at the data, it is exactly the same as the recovery "password" in AD.

    My question is, how do I NOT save a local copy of that key/password? Right now I have a final step in all of my TS's which is

    cmd /c del C:*.txt

    that deletes the text containing the key. What's the proper way to deal with this?

    Monday, September 9, 2019 3:06 PM

All replies

  • Hello,

    Please Check this Reference link, it's described How can you control the BitLocker Recovery key

    Tuesday, September 10, 2019 3:44 PM
  • Why would I want to save a key anywhere but AD? Without using MDT and just manually running encryption, I get a recovery password in the Bitlocker tab of the pc in AD. That's all we need. We aren't even aware of another key stored at any other location, all we have is AD.

    So is there a way to prevent the 'key' but just the 'password' creation?

    I saw that article and tried the BDEKeyLocation=%SystemDrive%\minint

    and it failed because it couldn't find that location.

    • Edited by the1rickster Tuesday, September 10, 2019 4:57 PM
    Tuesday, September 10, 2019 4:56 PM