The drive can then be used on any Windows 7 computer by simply plugging it in and entering the password you created when you encrypted it. If that computer ever dies or if you need to pull that hard drive from it's current hardware then you will need that key in order to decrypt and read it. You can repeat this for the other types of drives as well. Q: How can I easily retrieve BitLocker recovery passwords from Active Directory? It'll tell you that the key has been saved and then you can continue. In Server Manager, select Manage.
The easiest solution is to use Active Directory Users And Computers console. BitLocker Recovery Password Viewer stores the passwords in the Active Directory. If you need to boot something else press F12 while booting to manually select it at that time. This entry was posted in , and tagged , , , on by. Sample script provided in this blog is not supported under any Microsoft standard support program or service. Only Domain Admins by default has rights to delete the key. If you are not sure, you can or not.
It turns out to be pretty simple to save and view BitLocker passwords in Active Directory. We hope this blog helped you understand and address the situation. Below are the steps to configure Windows 7 and 2008 R2, but if you need Vista or 2008 you'll find the instructions. Great info on how to turn it on. Name of the BitLocker recovery object is limited to 64 characters, so the original should be allowed a 48-bit password. Has there been any movement on how to automate this Domain-wide? If all goes well you should see this screen. I might like to try to modify it to do so.
Disclaimer: © 2013 Microsoft Corporation. Note: You require local admin rights to run manage-bde commands. Has anything changed in the past few years to break this? Hello, My name is Manoj Sehgal. You've got BitLocker working and the drive is encrypted. More You can get more information about Bitlocker. When asked to save your key, I find it easiest to just save it to a file someplace it just generates a text file , the catch is you cannot save it to the drive that you are encrypting! All that you'll need to do is to email consult uic. For example, here's how you do it on a Dell Latitude laptop.
When number of the computers in company network is not very large, Administrator can monitor the keys and passwords manually. Also, you may notice that the disk appears to be nearly full until the encryption is complete. Rest assured that you can create a domain policy that will require the computer to store it's key in Active Directory as a property of the computer account and it's all done automatically! But when you need the recovery key and you can not use the password? Yes, you do want the trailing period. One of which works fine every time, the second of which fails. Has anyone used this script recently? And as you will find out the hard way, Windows won't automatically back the recovery key up at a convenient moment later on by itself. In other words, we need to be able to re-write the recovery key data from existing encrypted removable media once used on a new device. Then select Add Roles and Features.
You may execute the attached script from an elevated command window. Feature installation Before searching your computer in Active Directory, you need to install a plugin to display Bitlocker Recovery Key information. Using policy it is possible for the BitLocker recovery password to be stored in Active Directory via the Computer Configuration - Policies - Administrative Templates - Windows Components - BitLocker Drive Encryption - Store BitLocker recovery information in Active Directory Domain Services policy. Bitlocker Drive Encryption: Configuration Tool version 6. Removable data drives Deny write access to removable data drives not protected by BitLocker Set to enabled, and Do not allow write access to devices configured in another organization. Windows displays the first eight characters of the recovery password after the user or help desk operator reboots a client machine in recovery mode.
There's probably an easy way to do this for all keys at once using powershell, but since you'll normally only have to do this once for your machine, I didn't take the time to figure all that out :. Click on the graphic to expand it in a new window. The process does take a while and you may notice some slower than normal performance until it's done, but once the disk is encrypted you should not notice any performance degradation. You should now be able to view the recovery information for the volume in the active directory. I was able to make a fairly simple script in powershell to accomplish this, thanks for the article, was just what i was looking for. I'm currently working for Microsoft as a FastTrack Engineer specializing in Microsoft Azure as a cloud solution.
This means if you are encrypting your system drive C: it is important that you set the boot order so that the Hard Drive is always first. If you are planning to reimage the machine, just format the drive and bitlocker encryption will be gone. The first step, adding the BitLocker Recovery Password Viewer to the domain controllers, has already been completed for you. Turn on BitLocker on your client. If show only information about external key and external key file name, and nothing else. Thats why i got an error like this: bdeadbackup. Step 3: Scan the lost files from Bitlocker encrypted drive.