Windows – Enable bitlocker and save key to share

bitlockerwindows 7

I have searched all over the web but cannot find a complete answer to this:
How to enable Bitlocker on a laptop with TPM, and store a file with the Bitlocker recovery key and TPM password by USING THE manage-bde command line tool. The file should be the same as when created in the Bitlocker manager UI. I DO NOT want to save to AD. The same question was asked here but was not answered correctly.

The goal is to write a script to be used with an endpoint manager.

I have tried the following:

manage-bde -on C:

Works fine, but does not create or save a key.

manage-bde -on C: -rk C:\myfolder\


manage-bde -on C: -RecoveryKey C:\myfolder\ -rp

The output from the last two methods state that a key has been saved to c:\myfolder and so on, but that is not the case. It also says that I have to:

  1. Save the password in a secure location
  2. Insert a USB flash drive with an external key file into the computer.
  3. Restart and run hardware test
  4. type "manage-bde -status" to check if the hardware test succeeded

After a restart, I get an error saying that Bitlocker could not be enabled because

the bitlocker startup key or recovery kpassword cannot be found on the
USB device…. C: was not encrypted.

Why am I asked to insert a USB?? I simply want to encrypt the hard drive and save the recovery information to a file automatically. Is that too much to ask?

Help please!

Best Answer

This is what I've done for the recovery password (not key). Not fancy, but works - maybe it can point you in the right direction

manage-bde -on C: -recoverypassword > C:\Users\%username%\Desktop\printthisout-then-storesecurely.txt

Related Question