I have searched all over the web but cannot find a complete answer to this:
How to enable Bitlocker on a laptop with TPM, and store a file with the Bitlocker recovery key and TPM password by USING THE manage-bde command line tool. The file should be the same as when created in the Bitlocker manager UI. I DO NOT want to save to AD. The same question was asked here but was not answered correctly.
The goal is to write a script to be used with an endpoint manager.
I have tried the following:
manage-bde -on C:
Works fine, but does not create or save a key.
manage-bde -on C: -rk C:\myfolder\
and
manage-bde -on C: -RecoveryKey C:\myfolder\ -rp
The output from the last two methods state that a key has been saved to c:\myfolder and so on, but that is not the case. It also says that I have to:
- Save the password in a secure location
- Insert a USB flash drive with an external key file into the computer.
- Restart and run hardware test
- type "
manage-bde -status" to check if the hardware test succeeded
After a restart, I get an error saying that Bitlocker could not be enabled because
the bitlocker startup key or recovery kpassword cannot be found on the
USB device…. C: was not encrypted.
Why am I asked to insert a USB?? I simply want to encrypt the hard drive and save the recovery information to a file automatically. Is that too much to ask?
Help please!
Best Answer
This is what I've done for the recovery password (not key). Not fancy, but works - maybe it can point you in the right direction
manage-bde -on C: -recoverypassword > C:\Users\%username%\Desktop\printthisout-then-storesecurely.txt