none
bitlocker and partitions RRS feed

  • Question

  • Hello guys,

    we are using MDT for PC's deploying. We have three partition (C, D, E) and we would like to encrypt all partitions by BitLocker but with same kye in AD. Is it possible to do it? I know AD is able to save the key as an oject but only unique.

    Thank you very much for your help!!

    Tuesday, May 14, 2019 8:38 AM

Answers

  • You can have as many recovery keys as you like.

    It works the same way for additional drive letters, however, since these drives cannot have a TPM protector (only the system drive can), you need 

    manage-bde -on d: -rp

    manage-bde -auntounlock enable d:

    • Marked as answer by dovasCZ Wednesday, May 15, 2019 5:48 AM
    Tuesday, May 14, 2019 1:07 PM

All replies

  • You may set the same recovery key for all drives, if you use a script.

    However, I wonder why one would like to do that? Since the recovery key is not something that you use daily, but rather in disaster recovery, I see no reason to set it to the same value for all drives.

    Can you explain?

    Tuesday, May 14, 2019 11:08 AM
  • Ok, look I am not sure if AD can store more than one key (I read some article but I don't remember it fully) so this was my main reason why I wanted to have only one key.

    As a script I use 

    @echo off
    REM Manage-bde.exe -protectors -disable c:
    set test /a = "qrz"
    for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr "    Encryption Method:"') do (
                echo %%A
                set test = %%A
                if "%%A"=="None" goto :activate
                )
    rem goto end
    :activate
    echo in activate
    for /F %%A in ('wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue ^| findstr "TRUE"') do (
    if "%%A"=="TRUE" goto :bitlock
    )
    powershell Initialize-Tpm
    :bitlock
    
    :end
    manage-bde -protectors -disable %systemdrive%
    bcdedit /set {default} recoveryenabled No
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    manage-bde -protectors -delete %systemdrive% -type RecoveryPassword
    manage-bde -protectors -add %systemdrive% -RecoveryPassword
    for /F "tokens=2 delims=: " %%A in ('manage-bde -protectors -get C: -type recoverypassword ^| findstr "       ID:"') do (
                echo %%A
                manage-bde -protectors -adbackup %systemdrive% -id %%A
    )
    manage-bde -protectors -enable %systemdrive%
    manage-bde -on %systemdrive% -SkipHardwareTest

    I tried to add D and E drive but no success. Maybe it is easier to use Powershell but I am not so good in it. If you can give me some advice, you will help me.

    Thank you!



    • Edited by dovasCZ Tuesday, May 14, 2019 1:00 PM
    Tuesday, May 14, 2019 12:59 PM
  • You can have as many recovery keys as you like.

    It works the same way for additional drive letters, however, since these drives cannot have a TPM protector (only the system drive can), you need 

    manage-bde -on d: -rp

    manage-bde -auntounlock enable d:

    • Marked as answer by dovasCZ Wednesday, May 15, 2019 5:48 AM
    Tuesday, May 14, 2019 1:07 PM
  • Hi,

    yep it helped :) now all drives are encrypted!

    Thank you very much!

    Wednesday, May 15, 2019 5:48 AM
  • You are welcome.
    Wednesday, May 15, 2019 6:19 AM
  • Hi,

    Thank you for posting in Microsoft TechNet Forum.

    I'm glad to hear that your problem is successfully solved.

    Wish you a happy life.

    Best regards,

    Hurry


    Please remember to mark the reply as an answer if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 15, 2019 7:08 AM