BitLocker PowerShell Script Backup Encrypted Keys (How and Why)

BitLocker is a great out of the box encryption tool for disk volumes. If you read about this technology, you realize that the most challenging part is the disk recovery key and how to maintain/backup it.

Well, Microsoft did a great job documenting different ways for doing that. One of those methods is to backup keys to Active Directory. Simple and easy, even you can control this behavior via Group Policies.

Problem

Let me describe the problem with BitLocker AD Key Backup and Recovery

Now, Imagine that you enabled BitLocker key recovery in Active Directory. This will simply create an entry per volume on a specific multi value attribute in the computer object.

Image

Now, suppose that you have deleted the computer object from AD.

Or think about this scenario : The computer has C drive with O.S and D drive for data, both are bitlocker encrypted. You decided to format the C drive and join it again to the domain, so you format the C drive, delete the computer object AD, so you could join it to the domain again. Now think about the recovery key for the D drive in this scenario !!!!! It is lost when you deleted the computer object.

Bad things happen and believe me that you will always find your self in a situation where computer objects get deleted, even as part of organized cleanup process.

You will end up, getting back to AD restore or AD recycle bin, and believe they are not that easy to deal with.

Solution !!!

I have created a simple script that needs only read access to Computer objects and to BitLocker Recovery Information.

(Read this blog for information about how to delegate permissions to read BitLocker Information)

Now here is the script that will go to all computer objects in your Active Directory, and create a nice CSV file for you with all recovery keys for all BitLocker Computers. You can schedule it to run daily and you can keep those CSV for a month and then automatically delete the oldest.

This way, you will have a solid place to go to when some one deleted a computer object and you need the BitLocker Recovery Key. Believe me , this helped me a lot.

Note : The machine from which the script will run, should have Quest Active Directory PowerShell command. You can download it from here  http://www.quest.com/powershell/activeroles-server.aspx

Script Output

CSV File with Object Name, Computer Name, and other attributes. The most ipmortant one is the (Recovery Password) field. This is the one that you can use to unlock BitLocker volume.

AD BitLocker Key Recovery

Download the script 

You can download the script from here Get-ADBitLockerInfo

Examples

.EXAMPLE

 Collect information from the whole directory and save the output CSV file to C:\Scripts

.\Get-ADBitLockerInfo.ps1 $filepath C:\scripts

.EXAMPLE

 Collect information from the whole directory and save the output CSV file current directory

.\Get-ADBitLockerInfo.ps1 $filepath .\

.EXAMPLE

 Collect information from computers under a certain AD Organizational Unit (OU), and save the output CSV file to C:\Scripts

.\Get-ADBitLockerInfo.ps1 $filepath C:\scripts -OrganizationalUnit “OU=LON,DC=CONTOSO,DC=COM”

15 comments on “BitLocker PowerShell Script Backup Encrypted Keys (How and Why)

  1. HI Ammar, Is it possible to import a file with computer name, so this script only query bitlocker info according to some computers not the entire AD?

    thanks!

  2. Ammar, thanks for the script, I am having an issue with it where the script runs fine, no errors, but the recovery key column is completely blank. Any ideas what I might be doing wrong?

    Keith

  3. Does not work with a German Windows Server 2012 R2.
    No way, it always shows up “Ops !!! Your OU Filter seems wrong… Try again, Example is : “OU=Workstaions,OU=NYC,DC=Contoso,DC=COM”.
    We definitely used the correct OU and DCs.
    Any idea what else could cause the problem?
    Thanks a lot,
    Armin

  4. Found Quest Active Directory PowerShell command here: http://www.powershelladmin.com/wiki/Quest_activeroles
    and even the older version worked for me.

    Needed to enter the following to get past some error about digital signing:
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

    Also it seems the script has changed or more likely I don’t know what I’m doing but I couldn’t get the examples to work as shown. Just got errors. Again, I don’t know what I’m doing! 🙂

    But simply entering the following, prompted for a path and then it worked like a charm.
    .\get-adbitlockerinfo.ps1

  5. use the powershell intellisense to get the command parameters. example $filepath = -file ad -OrganizationalUnit = -OU

  6. Great script! It is VERY helpful. I have one issue. If I run the script without parameters and fill in the filepath variable, it works. With this, I am not able to specify an OU. If I list the parameters per the examples, I get an error (listed below). Did I miss something in the setup or permissions?

    PS C:\utility> .\get-ADBitLockerInfo.ps1 $filepath c:\utility\Bitlocker -Organiz
    ationalUnit “OU=Raleigh,DC=abc,DC=com”
    C:\utility\Get-ADBitLockerInfo.ps1 : A parameter cannot be found that matches
    parameter name ‘OrganizationalUnit’.
    At line:1 char:58
    + .\get-ADBitLockerInfo.ps1 $filepath c:\utility\Bitlocker -OrganizationalUnit
    “OU …
    + ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-ADBitLockerInfo.ps1],
    ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Get-ADBitLockerInfo.ps1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s