locked
Saving Bitlocker Recovery Key to AD RRS feed

  • Question

  • Hi,

    This is probably a very simple question but I'm tryring to backup bitlocker recovery key to AD. How I need to modify the script that it's doing this for all  Bitlocker enabled volumes that the machine might have.

    I can do it like this but this doesn't feel to be very optimal way and there is a possibility that it misses a drive because drive letters are hard coded in my script. 

    $BLV = Get-BitLockerVolume -MountPoint "C:"
    Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
    
    $BLV = Get-BitLockerVolume -MountPoint "D:"
    Backup-BitLockerKeyProtector -MountPoint "D:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
    
    $BLV = Get-BitLockerVolume -MountPoint "E:"
    Backup-BitLockerKeyProtector -MountPoint "E:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

    Edit:

    Figured it out (just learning powershell...)

    foreach ($volume in Get-BitLockerVolume) {
        Backup-BitLockerKeyProtector -MountPoint $volume.MountPoint -KeyProtectorId $volume.KeyProtector[1].KeyProtectorId 
      }

    Even better ways?


    • Edited by DamonWH Wednesday, November 8, 2017 7:46 PM
    Wednesday, November 8, 2017 7:33 PM

Answers

  • Hi,

    Based on my research, you could have a try with the following command, the result should be the same. For your reference, hope it is helpful to you:
    Get-BitLockerVolume | ForEach-Object {Backup-BitLockerKeyProtector -MountPoint $_.MountPoint -KeyProtectorId $_.KeyProtector[1].KeyProtectorId}

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by DamonWH Thursday, November 9, 2017 4:36 PM
    Thursday, November 9, 2017 5:19 AM

All replies

  • Hi,

    Based on my research, you could have a try with the following command, the result should be the same. For your reference, hope it is helpful to you:
    Get-BitLockerVolume | ForEach-Object {Backup-BitLockerKeyProtector -MountPoint $_.MountPoint -KeyProtectorId $_.KeyProtector[1].KeyProtectorId}

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by DamonWH Thursday, November 9, 2017 4:36 PM
    Thursday, November 9, 2017 5:19 AM
  • "Even better ways?" - yes, much better ways. Use a GPO to enforce automated AD backup and also enforce that encryption cannot start with first performing the key backup. No script needed at all. See the lower three options in this screenshot:

    Please note that the screenshot is showing the GPO for fixed drives. There are 2 similar GPOs for removable drives and for OS drives which need to be activated as well.
    Thursday, November 9, 2017 8:29 AM
  • Yes, but the problem with that GPO is that it doesn't collect BL keys from machines that were encrypted before GPO has been applied. There were some machines that were protected with Bitlocker before GPO's have been in place.
    Thursday, November 9, 2017 4:35 PM
  • Thanks!
    Thursday, November 9, 2017 4:36 PM
  • One problem in this method. This fails to get recoverypassword from any other drive than C.
    Thursday, November 9, 2017 8:15 PM