Bitlocker Recovery Password saved to file January 22, 2010

Posted by keithga in MDT 2010.
trackback

Saw a question posted recently:

In MDT deployment I have Bitlocker set to save the recovery key to AD.  However, I am noticing that it is also copying the recovery key to either C: root or the USB flash drive.  How do I control this behavior?

In MDT 2010, the ZTIBDE.wsf script will perform most nasty administrative tasks in the background automatically. That is the beauty of MDT. However, some administrators may wish to control this Recovery File in a manner other than the default, which is to save the file to the C: drive or to a USB Key.

MDT Saves the recovery key even though the administrator told MDT to save the Password into Active Directory, as a backup process, just in case AD was *not* able to save the data to AD.

Disable Key Save

There are two ways to prevent ZTIBDE.wsf from saving the Administrator password in Active Directory.

Either:

Comment out lines 722 – 724 in the ZTIBDE.wsf script. (MDT 2010 Only).

or:

Set the variable in your customsettings.ini file to point to a location that is cleaned at the end of the Task Sequence process:

BDEKeyLocation=%SystemDrive%\minint\

If you don’t save the Password, and the AD backup of the recovery key fails for some reason, you will have no record of the recovery key.

Keith

Keith Garner is a Deployment Specialist with Xtreme Consulting Group