NOTE: This document has 2 set of steps. The first set of steps should be followed if the OS volume is not encrypted. The second set of steps should be followed only if recovery key needs to be stored in AD. DO NOT FOLLOW BOTH SET OF STEPS.

Pre-requisites:

  1. TPM chip needs to be Enabled and Activated from BIOS
  2. The Laptop should be connected to organisation network either directly or via VPN. This is needed to store the recovery key in AD
    OS is installed on C:. If OS is not installed on C:\, then the scripts mentioned in this document will need some modifications to work with the drive letter where OS is installed.

Special permissions required: You need to have administrator permission on the machine you are performing these steps on.

Steps to encrypt OS volume: Perform these steps only if OS volume is NOT encrypted.

  1. Make sure the TPM chip is Enabled and Activated in BIOS.
    NOTE: Use TPM version 2.0 if BIOS mode is set to UEFI. If BIOS mode is set to Legacy, use TPM version 1.2.
  2. Copy BitLocker_Encrypt_And_StoreRecoveryKeyinAD.bat script mentioned below locally on the machine you are trying to activate:

Manage-bde -on C:
Manage-bde -protectors -add C: -recoverypassword
Manage-BDE.exe -protectors -get c:|findstr ID >%Temp%\ID.txt
echo+
echo+
echo+
echo *** Saving Bitlocker Key to Active Directory…
echo.
for /f “tokens=1,2” %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b
echo+

3. Launch command prompt as administrator and navigate to the folder where you copied BitLocker_Encrypt_And_StoreRecoveryKeyinAD.bat script

4. Execute the script by typing BitLocker_Encrypt_And_StoreRecoveryKeyinAD.bat in command prompt window and hitting enter.

5. If script executes successfully, you should see a message saying “Encryption will begin after hardware reset”. At this point, restart the machine. Encryption will begin after the restart.

6. Confirm that bitlocker recovery password is stored in AD.To check this, search for computer object in AD, right-click and select Properties. The recovery key will be visible under Bitlocker Recovery tab.  

Steps to store recovery key in AD: Perform these steps if OS volume is encrypted, but recovery key is not stored in AD

  1. Copy BitLocker_to_AD.bat script from below locally on the machine you are trying to activate.

Manage-BDE.exe -protectors -get c:|findstr ID >%Temp%\ID.txt
echo+
echo+
echo+
echo *** Saving Bitlocker Key to Active Directory…
echo.
for /f “tokens=1,2” %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b
echo+

  1. Launch command prompt as administrator and navigate to the folder where you copied BitLocker_to_AD.bat script 3.
  2. Execute the script by typing BitLocker_to_AD.bat in command prompt window and hitting enter.
  3. If script executes successfully, you should see a message saying “Recovery key successfully stored in AD”.
  4. Confirm that bitlocker recovery password is stored in AD.To check this, search for computer object in AD, right-click and select Properties. The recovery key will be visible under Bitlocker Recovery tab.

Advertisements