Storing Bitlocker Key to AD using MDT


  • Task:

    How to enable Bitlocker and store the recovery key to AD? Using Windows 2008 MDT server, Windwos 7 clients, Windows 2003 domain.


    Seems to be something I am missing from all the information available to Enable Bitlocker and store the recovery key to AD.

    Steps Taken:

    1) Follwed the BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory

    2) Verified that Bitlocker key is stored to AD by logging on as a Domain Admin on a Win 7 box, Initializing TPM and Bitlocker, Ran the scripts successfully:

    • Get-TPMOwnerInfo.vbs
    • Get-BitLockerRecoveryInfo.vbs

    3) Enabled the Bitlocker task in MDT 2010, as shown in here

    • Selected Drive to Encrypt = TPM Only
    • Choose where to create the recovery key = AD

    4) Using PXE boot started the Lite touch seq, selected the Bitlocker options, started the Win 7 install.

    5) Bitlocker starts finishes encrypting the drive but no recovery key stored in AD.

    What am I missing?


    Wednesday, May 19, 2010 2:56 AM

All replies

  • You are not the only one looking for an answer. I'm also trying to prepare active directory 2008 R2 to store the key.
    Wednesday, May 19, 2010 4:35 AM
  • So to add more value to this thread and hopefully foster interest in troubleshooting this issue I parsed the bdd.log for Bitlocker related entries:

    Property BdePin is now =  Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property BdeModeSelect1 is now =  Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property BdeModeSelect2 is now =  Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property WaitForEncryption is now =  Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property BdeInstall is now = TPM Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property OSDBitLockerStartupKeyDrive is now =  Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property OSDBitLockerWaitForEncryption is now = False Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property BdeRecoveryKey is now = AD Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property BdeInstallSuppress is now = NO Wizard 5/19/2010 9:58:58 AM 0 (0x0000)
    Property WizardComplete is now = Y Wizard 5/19/2010 9:58:58 AM 0 (0x0000)

    OS drive encryption requested. Drive:C: ZTIBde 5/19/2010 10:26:11 AM 0 (0x0000)
    Property BdeDriveLetter is now =  ZTIBde 5/19/2010 10:26:11 AM 0 (0x0000)
    Total Disk size in bytes80023749120 ZTIBde 5/19/2010 10:26:11 AM 0 (0x0000)
    Windows 7 has a hidden system partition, no disk actions are necessary ZTIBde 5/19/2010 10:26:11 AM 0 (0x0000)
    Success TPM Enabled ZTIBde 5/19/2010 10:26:11 AM 0 (0x0000)
    Success TPM Is Activated ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    Success TPM Is Owned ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    Success TPM Ownership Allowed ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    Check for Ensorsement Key Pair Present = 0 ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    TpmEnabled: True ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    TpmActivated: True ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    TpmOwned: True ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    TpmOwnershipAllowed: True ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    EndorsementKeyPairPresent: True ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    TPM Validation Complete ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    Encryptable Volume Count:1 ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    Attempting to bind to: C: ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    Success setting oBdeVol  ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    BDE Instance Bind Complete ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    Performing ProtectKeyWithTpm Installation ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    Attempting to enable BitLocker TPM ZTIBde 5/19/2010 10:26:12 AM 0 (0x0000)
    P@ssword being saved to C:\WDI89263-{3CEEDD02-D831-4604-8AF7-E3DD91F338C2}.txt ZTIBde 5/19/2010 10:26:14 AM 0 (0x0000)
    Attempting to intiate ProtectKeyWithNumericalP@ssword ZTIBde 5/19/2010 10:26:14 AM 0 (0x0000)
    Success protecting Key with numerical p@ssword ZTIBde 5/19/2010 10:26:16 AM 0 (0x0000)
    Attempting to retrieve numerical p@ssword ZTIBde 5/19/2010 10:26:16 AM 0 (0x0000)
    Saving numerical p@ssword to file. ZTIBde 5/19/2010 10:26:16 AM 0 (0x0000)
    Success P@ssword Key file written ZTIBde 5/19/2010 10:26:16 AM 0 (0x0000)
    ProtectKeyWithNumericalP@ssword success ZTIBde 5/19/2010 10:26:16 AM 0 (0x0000)
    Attempting to start BDE encryption ZTIBde 5/19/2010 10:26:16 AM 0 (0x0000)
    Success starting encryption ZTIBde 5/19/2010 10:26:16 AM 0 (0x0000)
    ZTIBde processing completed successfully. ZTIBde 5/19/2010 10:26:16 AM 0 (0x0000)
    Property restore is now =  ZTIUserState 5/19/2010 10:26:17 AM 0 (0x0000)
    Microsoft Deployment Toolkit version: 5.0.1641.0 ZTIUserState 5/19/2010 10:26:17 AM 0 (0x0000)

    Could anyone submit bdd.log entries that show a successfull write of the key to AD?


    Wednesday, May 19, 2010 4:16 PM
  • Hi,

    I have the same Problem with MDT 2010 and Windows 7 Deployment. BitLocker encrypts the Drive but the Recovery Password is not being stored in Active Directory. When I do encryption manually then the Password is being stored properly in AD. I searched the Internet and found several people having this same Problem but no solutions. Seems to me this is a bug or did we miss something in configuration?

    Monday, June 21, 2010 3:44 PM
  • HI rcdonner.

    how can i manually encrypt again?

    Tuesday, January 04, 2011 3:43 PM
  • We're having exactly the same issue, and no answer is forthcoming.

    When we deploy computers, no key is written to AD. It has worked before, though, and I have not pinpointed what exactly happened to stop this from working.

    I'm using this script as a workaround to ensure that they keys get in AD:

    It's not a clean solution, but it works for us for now, to avoid losing user data until I wait for a solution.

    Tuesday, March 29, 2011 1:03 PM
  • Have you enabled GPO Under System, click Trusted Platform Module Services.

    turn on tmp back up to active directory

    Thursday, March 31, 2011 6:43 PM
  • Yes, we have that GPO set correctly.
    Friday, April 08, 2011 10:17 AM
  • did you run Add-TPMSelfWriteACE.vbs to allow systems to write their recovery key to the computer object in AD?
    Friday, April 08, 2011 1:12 PM
  • Try adding gpupdate /force to the task sequence somewhere after "Recover from Domain" but before "Enable Bitlocker" 
    Monday, April 25, 2011 3:45 PM
  • The same happened to me. Strange that the GPO setting should be made even when the mdt wizard settings are set.
    Wednesday, January 11, 2012 11:23 AM
  • Bump on this topic. The actual code that should do the job is:

    '// Perform password generation for AD backup.
    		If UCase(sOSDBitLockerCreateRecoveryPassword) = "AD" Then
    			sPasswordFile = sOSDBitLockerStartupKeyDrive & "\" & oUtility.ComputerName & "-" & sVolProtectorId & ".txt"
    			oLogging.CreateEntry "Recovery P@ssword being saved to " & sPasswordFile, LogTypeInfo
    			If Left(sOSDBitLockerStartupKeyDrive, 2) = "\\" Then
    				oUtility.ValidateConnection sOSDBitLockerStartupKeyDrive
    				oUtility.VerifyPathExists sOSDBitLockerStartupKeyDrive
    			End If
    			iRetVal = ProtectKeyWithNumericalPassword(sPasswordFile)
    			TestAndFail iRetVal, 6762, "Recovery P@ssword being saved to " & sPasswordFile
    		End If

    There is, as far as I can see, nothing indicating it's even trying to save this into AD. So taking Willem Goethals link and marry it into this segment might do the trick or what do you'all think about that?


    Friday, September 07, 2012 5:58 AM
  • Totally obvious question but have you installed the Bitlocker Drive Encryption Admin utility through server features that lets you view the Encryption key ?


    Thanks - Joe.

    Friday, September 07, 2012 8:06 AM
  • Totally obvious question but have you installed the Bitlocker Drive Encryption Admin utility through server features that lets you view the Encryption key ?


    Thanks - Joe.

    Totally valid. Yes - Added the feature Bitlocker Drive Encryption Administration Utillities and Bitlocker Recovery Password Viewer..

    And to be totally honest. The Script that is beeing referred to works perfect in an elevated cmd. It saves the pwd into AD nice and dandy - verified from the ADUC...

    Further, looking into the ZDEBde code there seems to be no futher calls to manage-bde than the "-on" used for "offline" enabling of the newly formatted partition. Don't know if you can get the key into AD any other way..

    ALSO further .- the 


    Is not the volume ID but the TPM id. Verifed using the Manage-BDE.exe -protectors -get c:

    Im strill trying to figure out where that variable comes from...

    Br, Christian

    Friday, September 07, 2012 8:23 AM