Hi,I have a client who has encrypted and savedthe TPM and BitLocker recovery information to a flash drive. We are in the process of applying a GPO to mandate that the keys be saved to AD. We have tested this policy out and it is working well.However, the issue I am having is pushing these keys up to AD manually using the command line since the policy wasn't applied before the client encrypted. The documentation that Microsoft provides says to run manage-bde -protectors -adbackup c: using an elevated command prompt to push the keys up. After running this command it comes back and says "Error: specifying the parameter '-id' is required to back up recovery information." The Microsoft documentation says that -id is only needed if you want to back up only a single recovery key. So I am confused on why it prompts me to use it in the first place. Iwould liketo back up TPM and BitLocker keys.Anyways, I've tried but failed to use the propper syntax for -id parameter. Has anyone run into this or know how to use manage-bdeto push existing keys up to AD?Thanks in advance.

Hi,I would also like to know the answer to this as I have the same problem.regs.

I have not found a way to backup the existing keys to AD using manage-bde but I was able to do it using WMI.

Can you elaborate in more detail?

I have been able to do this successfully now. Here is what you have to do.. Open an elevated command prompt (not powershell - powershell will cause this to fail with errors) run the command manage-bde -protectors c: -get you will receive output similar to this BitLocker Drive Encryption: Configuration Tool version 6.1.7600 Copyright (C) Microsoft Corporation. All rights reserved. Volume C: [Windows] All Key Protectors Numerical Password: ID: {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC} Password: 527560-068585-114378-134288-010131-496430-662706-631224 TPM: ID: {5EB69F42-4ABC-4D6B-87C5-C894A3840FC4} What you are looking for is the Numerical Password ID. So in this example to backup the password to AD you would type the following command manage-bde -protectors c: -adbackup -id {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC} When that completes you will receive the message... Recovery information was successfully backed up to Active Directory. I know the documentation states you do not have to specify the ID but you do. I hope that helps!

This doesn't seem to work for TPM And PIN: ERROR: An error occurred (code 0x8031003a): The key protector specified cannot be used for this operation.

I have been able to do this successfully now. Here is what you have to do.. Open an elevated command prompt (not powershell - powershell will cause this to fail with errors) run the command manage-bde -protectors c: -get you will receive output similar to this BitLocker Drive Encryption: Configuration Tool version 6.1.7600 Copyright (C) Microsoft Corporation. All rights reserved. Volume C: [Windows] All Key Protectors Numerical Password: ID: {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC} Password: 527560-068585-114378-134288-010131-496430-662706-631224 TPM: ID: {5EB69F42-4ABC-4D6B-87C5-C894A3840FC4} What you are looking for is the Numerical Password ID. So in this example to backup the password to AD you would type the following command manage-bde -protectors c: -adbackup -id {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC} When that completes you will receive the message... Recovery information was successfully backed up to Active Directory. I know the documentation states you do not have to specify the ID but you do. I hope that helps! Powershell works if you simply put the ID in single quotes! ex: manage-bde -protectors c: -adbackup -id '{9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC}'

Use the script in the blog below http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx -Manoj (MSFT)Manoj Sehgal