jump to navigation

Bitlocker Recovery Password saved to file January 22, 2010

Posted by keithga in MDT 2010.

Saw a question posted recently:

In MDT deployment I have Bitlocker set to save the recovery key to AD.  However, I am noticing that it is also copying the recovery key to either C: root or the USB flash drive.  How do I control this behavior?

In MDT 2010, the ZTIBDE.wsf script will perform most nasty administrative tasks in the background automatically. That is the beauty of MDT. However, some administrators may wish to control this Recovery File in a manner other than the default, which is to save the file to the C: drive or to a USB Key.

MDT Saves the recovery key even though the administrator told MDT to save the Password into Active Directory, as a backup process, just in case AD was *not* able to save the data to AD.

Disable Key Save

There are two ways to prevent ZTIBDE.wsf from saving the Administrator password in Active Directory.


Comment out lines 722 – 724 in the ZTIBDE.wsf script. (MDT 2010 Only).


Set the variable in your customsettings.ini file to point to a location that is cleaned at the end of the Task Sequence process:


If you don’t save the Password, and the AD backup of the recovery key fails for some reason, you will have no record of the recovery key.


Keith Garner is a Deployment Specialist with Xtreme Consulting Group


1. Aaron Froberg - February 23, 2011

What if you have the GP set to not enable bitlocker until the recovery key was stored successfully? Does this script somehow override that and thus cause some machines to be encrypted with no known recovery method?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: