Get Password ID using manage-bde

Question

Get Password ID using manage-bde

Anonymous

Hi there.

I'm trying to script the combination between 2 commands.

manage-bde -protectors -get C:
manage-bde -protectors -adbackup C: -id{XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

because I need to do it on ~800 computers.

I'm doing like this:

FOR /F "tokens=1" %%G IN ('manage-bde -protectors -get C:') DO SET _IDKey=%%G

By doing it, for the following command result, I can only get {YYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY} and 123456-123456-123456-123456-123456-123456-123456-123456.
Is there any way of getting {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} instead?

C:\windows\system32>manage-bde -protectors -get C:
BitLocker Drive Encryption: Configuration Tool version 10.0.18362
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [Windows]
All Key Protectors

Password:
  ID: {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

Numerical Password:
  ID: {YYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}
  Password:
    123456-123456-123456-123456-123456-123456-123456-123456

Thank you in advanced.
Hugo Cruz

Accepted answer

1 additional answer

Your answer

Answer 1

Bagitman 596

Hi.

Recently, someone else had the same question.

My advice is and was: let go of the idea to find computers without keys in AD and rather save the keys to AD now!

Just deploy an immediate scheduled task to all computers that consists of this single batch line:

for /f "tokens=1,2" %%a in ('manage-bde -protectors -get C: -Type recoverypassword ^| findstr ID') do manage-bde -protectors -adbackup c: -id %%b
Please note: this is only for the c: drive. For d:/... additional lines need to be added, just exchange C: for D: and so on. You can of course use errorcontrol to see if it fails (why should it? never saw that fail)::

for /f "tokens=1,2" %%a in ('manage-bde -protectors -get C: -Type recoverypassword ^| findstr ID') do manage-bde -protectors -adbackup c: -id %%b || echo ADBackup of C: key failed on %computername%>>\server\share\%computername%.txt

Please note that this code was copied from "Ronald Schilf", my old MS technet forums identity which I had to give up, because Microsoft migrated Technet to "answers" without allowing my ID to logon to answers.

Anonymous

2021-01-27T16:14:55.76+00:00
Hi @Bagitman , thanks for your answer.

I've noticed that I'm trying to get the wrong ID.
I've solved it by doing this

@Echo OFF
CLS

FOR /F "tokens=2" %%G IN ('manage-bde -protectors -get C:') DO SET _IDKey=%%G SET _CommandCommand=manage-bde -protectors -adbackup C: -id SET _FullCommand=%_CommandCommand% %_IDKey% %_FullCommand% PAUSE

maybe this is not the most clever way of getting this done but it´s working!!

However, I've read your script line, and.... you did it in a much simple and clear way.
I've adopted your solution for me. Hope you won't request royalties for that.
Thanks a lot!!!!!
Bagitman 596 Reputation points

2021-01-27T19:49:39.9+00:00

You are welcome.

Answer 2

Anonymous

Hi，

To get {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} you can do it like this

SETLOCAL ENABLEDELAYEDEXPANSION
SET count=1
FOR /F "tokens=2" %%G IN ('manage-bde -protectors -get C:^|findstr ID') DO (
SET var!count!=%%G
SET /a count=!count!+1
)
echo %var1%

Best Regards，
Ian Xue

Share via

Get Password ID using manage-bde

for /f "tokens=1,2" %%a in ('manage-bde -protectors -get C: -Type recoverypassword ^| findstr ID') do manage-bde -protectors -adbackup c: -id %%b || echo ADBackup of C: key failed on %computername%>>\server\share\%computername%.txt

1 additional answer

Your answer