none
Bitlocker Keys

    Question

  • I have set up an MDT for my organisation.

    I am trying to upload my bitlocker recovery keys to AD but no matter what I do it seems to put these on the USB stick I am using to deploy the build.

    If I rem out the bitlocker instructions on my customsettings I can bitlocker the device manually and it saves the key to the AD. I have bitlocker enabled within my task sequence and this is set to AD.      

    I am happy to provide any screen shots of Task sequences or custom settings files if required.

    ANY assistance in this matter would be gratefully received - Thanks

    Tuesday, December 4, 2018 5:54 PM

All replies

  • Why not setup a script to run at the end of the task sequence that uses the manage-bde commands to enable bitlocker? It will save to AD and you can specify a network location to make a copy of the keys incase someone deletes the AD object.
    Thursday, December 6, 2018 5:26 PM
  • Hi

    Thanks a lot for your reply. Sorry to sound like a total newbie (which I am) but could you give me a little more detail?

    Thanks again

    Thursday, December 6, 2018 7:19 PM
  • I think it was a bit easier when you could use cmd files but now you have to use Powershell for to enable and manage the TPM on windows computers. So you can lookup manage-bde with Powershell. I would make sure you clear the TPM before imaging or you can do a lot of error checking in the scripts to see if the tpm is enabled or owned already and clear it with code.

    First you need to check the status to the TPM

    $TPM=Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm"-computername $ComputerName

    if you don't know the TPM is enabled or not you check it with

    $TPM.IsEnabled()

    and then enable it with

    $TPM.Enable()


    you can then use the following commands to take ownership

        $TPMPassword = $TPM.ConvertToOwnerAuth($TPM_Password).OwnerAuth
        $TPM.TakeOwnerShip($TPMPassword)

    you can then call the manage-bde command and copy the output to a text file it you wish

    manage-bde -on C: -s -recoverypassword -tpmandpin $BitLockerPIN -encryptionmethod xts_aes256 -ComputerName $ComputerName > "$PasswordSaveLocation"

    Here is the complete script. I wrote it for something else other than MDT and tried to strip it down for this. so it may not work as is and need some tweeking

    param(
        [string] $ComputerName,
        [string] $TPM_Password,
        [string] $BitLockerPIN,
        [string] $FileSaveLocation
    )
    #variables
    [string]$PasswordSaveLocation
    
    if ([string]::IsNullOrEmpty($ComputerName)){
        #  No computer name specified. Cannot continue.
        Exit
    }Else{
        $PasswordSaveLocation= $FileSaveLocation+'\BitLocker_Recovery_Key_'+$ComputerName+'.txt'
    }
    
    Try{
        $TPM=Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm"-computername $ComputerName
    }Catch{
        Exit
    }
    if ($TPM.IsEnabled()){
       # TPM is already enabled
    }else{
        # TPM is not currently Enabled. Enabling TPM
        Try{
            $TPM.Enable()
            $TPM=Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm"-computername $ComputerName
        }Catch{
            #  Error Enabling TPM. Script cannot continue
            Exit
        }
    }
    
    if($TPM.IsOwned()){
       # TPM is already owned
    
    }else{
        # Setting owner password on TPM
        $TPMPassword = $TPM.ConvertToOwnerAuth($TPM_Password).OwnerAuth
        $TPM.TakeOwnerShip($TPMPassword)
    }
    
    # Enabling Bitlocker Encryption. Please wait while Recovery Password is generated
    
    Try{
        manage-bde -on C: -s -recoverypassword -tpmandpin $BitLockerPIN -encryptionmethod xts_aes256 -ComputerName $ComputerName > "$PasswordSaveLocation"
    }Catch{
    
        # Error Enabling Bitlocker Encryption
    
    }
    Exit

    Friday, December 7, 2018 2:51 PM