none
Bit Locker Recovery/MDT 2013 store in AD Windows 8.1 Issues! RRS feed

  • Question

  • I am building Win8.1 Enterprise with MDT 2013 and am attempting to store the recovery information as a child object of the host laptop object on a WS2008 R2 AD DS environment.

    I have told the machine via GPO to store recovery key in AD and have verified this policy was applied to the new machine. When I open up the manage bit locker GUI, it lets me type in an 8-20 character PIN but doesn't have the screen that says where to store the key (USB, Locally, Store in Active Directory etc). 

    I enter in a PIN and reboot the machine. Then in order to get the recovery key to store as the child object of "LAPTOP-TEST" (machine host name), I have to run an elevated command prompt and run:

    manage-bde.exe -protectors -get c: which spits out the numerical ID

    then

    manage-bde.exe -protectors -adbackup c: -id {IDHERE} which successfully adds the recovery information to the object in AD.

    Is there a way to tell the bit locker set-up that I am going to store the recovery key in ADbefore the encryption process has started? Additionally, this powershell script seems like it should do the steps above automatically but closes the shell window before I can read if it executed correctly. 

    Option Explicit
    
        Dim strNumericalKeyID
        Dim strManageBDE,strManageBDE2
        Dim oShell
        Dim StrPath
        Dim StdOut, strCommand
        Dim Result, TPM, strLine
        Dim Flag, NumericalKeyID
    
        Set oShell = CreateObject("WSCript.Shell")
    
        '====================================================================================
        'This section looks for the Bitlocker Key Numerical ID
    
        strManageBDE = "Manage-BDE.exe -protectors -get c:" 'Bitlocker command to gather the ID
    
        Flag = False
    
        Set Result = oShell.Exec(strManageBDE)'sees the results and places it in Result
    
        Set TPM = Result.StdOut    'Sets the variable TPM to the output if the strManageBDe command
    
        While Not TPM.AtEndOfStream
           strLine = TPM.ReadLine  'Sets strLine
           If InStr(strLine, "Numerical Password:") Then  ' This section looks for the Numerical Password
            Flag = True
           End If
           If Flag = True Then
             If InStr(strLine, "ID:") Then  'This section looks for the ID
              NumericalKeyID = Trim(strLine)' This section trims the empty spaces from the ID {} line
              NumericalKeyID = Right(NumericalKeyID, Len(NumericalKeyID)-4)
              Flag = False 'Stops the other lines from being collected
             End If
           End If
        Wend
    
    strManageBDE2 = "Manage-BDE.exe -protectors -adbackup C: -ID " & NumericalKeyID
    oShell.Run strManageBDE2, 0, True 'Runs the Manage-bde command to move the numerical ID to AD.


    I checked the local machines registry - all registry dwords are set to value "1" needed for storing recovery key in AD.

    As of now, I don't want to have to manually run these commands on each machine after deploying a windows 8.1 build.

    Here is my customsettings.ini

    [Default]
    OSInstall=Y
    SkipCapture=YES
    SkipAdminPassword=NO
    SkipProductKey=YES
    SkipComputerBackup=YES
    SkipBitLocker=YES
    HideShell=NO
    ApplicationSuccessCodes=0 1 2 1060 3010
    Applications001={b7d20a21-434c-4921-b0cd-85f69e0aa4d0}
    Applications002={d3abef28-3240-420b-ab22-bed8f03e4565}
    SkipAppsOnUpgrade=YES
    SkipPackageDisplay=YES
    SkipAdminAccounts=NO
    SkipComputerName=NO
    SkipDomainMembership=NO
    SkipUserData=YES
    SkipLocaleSelection=YES
    SkipTaskSequence=NO
    SkipTimeZone=YES
    SkipApplications=NO
    SkipSummary=NO
    SkipBDDWelcome=YES
    SkipFinalSummary=YES
    TimeZone=004
    TimeZoneName=Pacific Standard Time
    Home_page=
    FinishAction=SHUTDOWN
    DoNotCreateExtraPartition=NO
    BDEDriveLetter=S:
    BDEDriveSize= 2000
    BDEInstall=ProtectKeyWithTpm
    BDERecoveryKey=AD
    BDERecoveryPassword=TRUE
    BDERequired=YES
    OSDBitLockerCreateRecoveryPassword=TRUE
    

    • Edited by ZackAttack22 Tuesday, November 26, 2013 10:54 PM
    Tuesday, November 26, 2013 10:52 PM