none
Unable to Force BitLocker\TPM info to AD using Manage-BDE RRS feed

  • Question

  • Hi,

    I have a client who has encrypted and saved the TPM and BitLocker recovery information to a flash drive. We are in the process of applying a GPO to mandate that the keys be saved to AD. We have tested this policy out and it is working well.

    However, the issue I am having is pushing these keys up to AD manually using the command line since the policy wasn't applied before the client encrypted. The documentation that Microsoft provides says to run manage-bde -protectors -adbackup c: using an elevated command prompt to push the keys up. After running this command it comes back and says "Error: specifying the parameter '-id' is required to back up recovery information."

    The Microsoft documentation says that -id is only needed if you want to back up only a single recovery key. So I am confused on why it prompts me to use it in the first place. I would like to back up TPM and BitLocker keys.

    Anyways, I've tried but failed to use the propper syntax for -id parameter. Has anyone run into this or know how to use manage-bde to push existing keys up to AD?

    Thanks in advance.
    Friday, October 23, 2009 7:50 PM

All replies

  • Hi,

    I would also like to know the answer to this as I have the same problem.

    regs.
    Friday, December 18, 2009 7:33 AM
  • I have not found a way to backup the existing keys to AD using manage-bde but I was able to do it using WMI.

    Thursday, January 14, 2010 5:15 AM
  • Can you elaborate in more detail?
    Tuesday, January 26, 2010 1:42 PM
  • I have been able to do this successfully now. Here is what you have to do..

    Open an elevated command prompt (not powershell - powershell will cause this to fail with errors)

    run the command
    manage-bde -protectors c: -get

    you will receive output similar to this

    BitLocker Drive Encryption: Configuration Tool version 6.1.7600
    Copyright (C) Microsoft Corporation. All rights reserved.

    Volume C: [Windows]
    All Key Protectors

        Numerical Password:
          ID: {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC}
          Password:
            527560-068585-114378-134288-010131-496430-662706-631224

        TPM:
          ID: {5EB69F42-4ABC-4D6B-87C5-C894A3840FC4}


    What you are looking for is the Numerical Password ID.

    So in this example to backup the password to AD you would type the following command

    manage-bde -protectors c: -adbackup -id {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC}

    When that completes you will receive the message...

    Recovery information was successfully backed up to Active Directory.

    I know the documentation states you do not have to specify the ID but you do.
    I hope that helps!
    • Proposed as answer by Beaudge Friday, March 12, 2010 2:02 PM
    Friday, March 12, 2010 2:01 PM
  • This doesn't seem to work for TPM And PIN:

    ERROR: An error occurred (code 0x8031003a):
    The key protector specified cannot be used for this operation.

    Wednesday, June 2, 2010 9:39 PM
  • I have been able to do this successfully now. Here is what you have to do..

    Open an elevated command prompt (not powershell - powershell will cause this to fail with errors)

    run the command
    manage-bde -protectors c: -get

    you will receive output similar to this

    BitLocker Drive Encryption: Configuration Tool version 6.1.7600
    Copyright (C) Microsoft Corporation. All rights reserved.

    Volume C: [Windows]
    All Key Protectors

        Numerical Password:
          ID: {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC}
          Password:
            527560-068585-114378-134288-010131-496430-662706-631224

        TPM:
          ID: {5EB69F42-4ABC-4D6B-87C5-C894A3840FC4}


    What you are looking for is the Numerical Password ID.

    So in this example to backup the password to AD you would type the following command

    manage-bde -protectors c: -adbackup -id {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC}

    When that completes you will receive the message...

    Recovery information was successfully backed up to Active Directory.

    I know the documentation states you do not have to specify the ID but you do.
    I hope that helps!

    Powershell works if you simply put the ID in single quotes! ex:

    manage-bde -protectors c: -adbackup -id '{9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC}'
    • Proposed as answer by Dr-Effective Monday, December 22, 2014 9:33 PM
    Tuesday, May 17, 2011 5:59 PM
  • Tuesday, May 17, 2011 6:30 PM
  • Hi:

    I have the same problem, this is my script:

    $id =  (Get-BitLockerVolume -MountPoint c: | Select-Object -ExpandProperty KeyProtector)[0] | Select-Object KeyProtectorID | format-wide -Column 1 | out-string
    $id2 = $id.replace("`n","")
    $id3 = $id2.replace('{','"{').replace('}','}"')
    $id4 = $id3.trim()
    c:\windows\system32\manage-bde.exe -protectors -adbackup c: -ID $id4

    It doesn´t work. I tried other methods to resolve this issue but neither works. 

    Any solution? :(

    Wednesday, May 22, 2019 9:48 PM
  • $BLV = Get-BitlockerVolume -MountPoint "C:"
    $id = $BLV.KeyProtector[0].KeyProtectorId
    Backup-BitLockerKeyProtector C: "$id"

    You just need something like this.
    Wednesday, June 5, 2019 12:17 PM
  • In my case the numerical recovery password was missing as I originally had used only this command:

    managebde -on C:

    You can add the numerical recovery password by using this command:

    manage-bde -protectors -add %systemdrive% -RecoveryPassword

    This automatically adds the recovery key into AD if you have the GPOs configured.

    To generate the recovery password when you start the process use this command:

    managebde -on C: -RecoveryPassword

    Thursday, June 27, 2019 4:58 PM