none
OSD - Copy Bitlocker Key To Network Drive

    Question

  • I have successfully been able to activate the tpm and enable bitlocker and create the key in ADDS using the "Enable BitLocker" task sequence from MDT. My colleagues would also like to automate the key to be stored in a network directory instead of going into the bitlocker in control panel and resaving it to the network. I tried a few commands using manage-bde.exe but have not been able to figure it out. Anyone know how I can accomplish this? Maybe there's an easier way to do this where it will enable bitlocker and create the key in AD and save the key file in the network directory all at one. Thanks in advance.
    Tuesday, March 26, 2013 8:43 PM

All replies

  • MDOP. the Microsoft optimization Desktop Pack allows you to use MBAM.

    http://technet.microsoft.com/en-us/windows/hh826072.aspx

    • Proposed as answer by John Marcum Wednesday, March 27, 2013 12:17 AM
    Tuesday, March 26, 2013 8:57 PM
  • You can use a GPO to put the key in AD but it's stored there in plain text. There are several more drawbacks but I think that one is big enough reason not to do it. Use MBAM instead as Amnon says.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Wednesday, March 27, 2013 12:17 AM
  • run a commandline with the following command : manage-bde -protectors -add c: -recoverykey c:

    this will save the recovery key to the root of C.

    you could alter the command line to save it to a network location, I use a script to do this :

    net use Driverletter Networkshare /user:domain\username password
    md driveletter\bitlockerkeys\%computername%
    attrib -h -s c:\*.bek
    move c:\*.bek driveletter\bitlockerkeys\%computername%

    keep in mind that driveletter and networkshare would have to be replaces with you values ;)

    Wednesday, April 3, 2013 10:12 PM
  • MBAM is great but there are licensing implications,

    if you cannot use MDOP/MBAM then store the key in AD instead, here's a guide explaining how to get that working.



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    Thursday, April 4, 2013 7:42 AM
    Moderator
  • oh and here's how to retrieve your BitLocker key, it should be easy to script copying that to a share.

    http://www.niallbrady.com/2012/08/28/how-can-i-retrieve-my-bitlocker-recovery-key/



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    Thursday, April 4, 2013 7:44 AM
    Moderator
  • Thanks for the input all.

    Niall, thats a very nice tutorial. It would have saved me alot of time, but we already have it saving the key in AD. We would like to save the recovery password on to the network as well and was just seeing if there's a way to do this.

    Klaas, we'd like to save the recovery password text file on our network drive and not the .bek key. Right now the recovery id and password is saving in AD but we've had some issues where the laptops would require a key at bootup and the key in AD does not work for some reason. Therefore we had to reimage the machines.

    Amnon, we will be looking into MBAM in the next few months. This is most likely what we will be going to if all works out. Any easy install tuturial you can suggest would be helpful.

    Thanks again.

    Monday, April 8, 2013 9:18 PM
  • Before installing mbam 2.0 beta for testing, do you know if I would be able to uninstall mbam sccm integration if we choose not to use mbam? Is the a documentation somewhere? I wasn't able to find one.
    Thursday, April 11, 2013 2:53 PM
  • I believe that the MBAM 2.0 "Integration" in ConfigMgr consists of simply a couple of collections and some Compliance Items and Baselines - which can safely be removed.

    With regard to saving the recovery password to a text file, take a snoop around in the MDT Scripts folder and at the ZTIBde.wsf script.  This script when used saves the recovery password to a text file on the local disk - which should give you an idea of how to write your own script to accomplish this AND save it to a network share during Task Sequence.

    I would certainly look at MBAM 2.0 though - although the requirement for SQL Enterprise may be a no-go for some organisations.

    Andy


    My Personal Blog: http://madluka.wordpress.com

    Thursday, April 11, 2013 4:43 PM
  • Actually the integration places the complaince data and reporting into the CM database rather than the MBAM one. Not really a great thing IMO. See this:

    http://myitforum.com/myitforumwp/2013/04/11/dudewheres-my-compliance-data/


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Friday, April 12, 2013 10:21 PM
  • MBAM 2.0 does not require SQL enterprise, MBAM 1.0 does though.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Friday, April 12, 2013 10:22 PM
  • MBAM 2.0 does not require SQL enterprise, MBAM 1.0 does though.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    This sounds interesting John, and possibly a game changer for many of our customers.  SQL Enterprise is not required for anything at all with MBAM 2.0?  I thought SQL Server standard could not adequately encrypt the stored recovery keys?  TDE or something (I'm no DBA!)

    If SQL Server standard can now be used and given that MBAM 2.0 has an integration into ConfigMgr - does this mean that the licensing permits the SQL Standard instance for ConfigMgr to also host the MBAM 2.0 database?


    My Personal Blog: http://madluka.wordpress.com

    Saturday, April 13, 2013 3:26 PM
  • According to the session I saw this week at MMS TDE is no longer required. I did want to ask if the keys are still encrypted without TDE but I wasn't able to catch the speakers before they left the room. No, you should not host MBAM on the CM server, it still requires a minimum of two servers for MBAM. One for SQL another for IIS.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Saturday, April 13, 2013 5:01 PM
  • "You can optionally install the transparent data encryption (TDE) feature that is available in SQL Server 2008 or later. The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files. TDE protects data "at rest,” meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries. For more information about TDE.."

    http://msdn.microsoft.com/en-us/library/dn145046.aspx


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    Saturday, April 13, 2013 5:04 PM
  • According to the session I saw this week at MMS TDE is no longer required. I did want to ask if the keys are still encrypted without TDE but I wasn't able to catch the speakers before they left the room. No, you should not host MBAM on the CM server, it still requires a minimum of two servers for MBAM. One for SQL another for IIS.


    John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/

    How about when the SQL Instance is remote?  Lets say the customer likes to use their SQL Cluster where possible.

    I just know someone out there is also going to ask about MBAM 2.0 and FIPS compliance - I will have to dig through the updated MBAM docs to see if I can see mention of compliance.


    My Personal Blog: http://madluka.wordpress.com

    Monday, April 15, 2013 11:26 AM