BitLocker is a great out of the box encryption tool for disk volumes. If you know about this technology, you realize that the most challenging part in deployment BitcLocker is the disk recovery key and how to backup it up. It is always a challenging thing when talking about encryption, to make sure you the the decryption key. Decryption keys never expire and should always be archived somewhere. How to backup BitLocker Keys is a fundamental piece of knowledge that you should look at and consider if you are deploying BitLocker.
Well, Microsoft did a great job documenting different ways for doing that. One of those methods is to backup keys to Active Directory. Simple, easy, even you can control this behavior via Group Policies.
Problem
Let me describe the problem with BitLocker AD Key Backup and Recovery. Imagine that you have enabled BitLocker key recovery in Active Directory. This will simply create an entry per volume on a specific multi value attribute in the computer object in Active Directory. So if you have a computer with two disks, and both are encrypted with BitLocker, then the computer object of that computer will have two entries representing the volume encryption key for each disk
Things can turn nasty if you deleted that computer object from Active Directory. Think about this scenario also. A computer has C drive with O.S and D drive for data, both are encrypted with BitLocker. You decided to format the C drive and join it again to the domain, so you formatted the C drive, deleted the computer object AD, and you joined it to the domain again. Now think about the recovery key for the D drive in this scenario. It is lost the moment you deleted the computer object.
Bad things happen and believe me that you will always find your self in a situation where computer objects get deleted, even as part of organized cleanup process. You will end up, getting back to AD restore or AD recycle bin, and believe me, they are not that easy to deal with.
How to backup BitLocker Keys
What actually makes me sleep at night, is an insurance that what ever happen in Active Directory, I can always recover disks encrypted with BitLocker. So I created a simple script, that will go to each computer account in Active Directory, read BitLocker volume recovery keys, and store that data in a csv file. I even made a schedule task that will run the script every week, and through a csv file for those recovery keys. If something went wrong, and I want to recover data on an encrypted disk, I can always get back to the latest csv file.
The script need to be run using an account that has read access to computer objects and BitLocker recovery information. You can read this article that shows how to delegate access to an account, so that it can read BitLocker recovery information.
Note : The machine from which the script will run, should have Quest Active Directory PowerShell extensions.
Script Output
The “How to backup BitLocker Keys” script will output a csv file with Object Name, Computer Name, and other attributes. The most important one is the (Recovery Password) field. This is the one that you can use to unlock a BitLocker volume.
Download the script
The “How to backup BitLocker Keys” script can be download the script from Microsoft TechNet Gallery.
Examples
Collect information from the whole directory and save the output CSV file to C:\Scripts
.\Get-ADBitLockerInfo.ps1 -filepath C:\scripts
Collect information from the whole directory and save the output CSV file current directory
.\Get-ADBitLockerInfo.ps1 -filepath .\
Collect information from computers under a certain AD Organizational Unit (OU), and save the output CSV file to C:\Scripts
.\Get-ADBitLockerInfo.ps1 -filepath C:\scripts -OrganizationalUnit "OU=LON,DC=CONTOSO,DC=COM"
HI Ammar, Is it possible to import a file with computer name, so this script only query bitlocker info according to some computers not the entire AD?
thanks!
this requires redesigning the script as i start by looking at AD-Objects with specific type. Can you tell me more about your need in details pls
Ammar, thanks for the script, I am having an issue with it where the script runs fine, no errors, but the recovery key column is completely blank. Any ideas what I might be doing wrong?
Keith
Hi im travelling for a week and then will look at this
I actually have same issue. Its not essential but would be super nice to have it working as intended. Thanks a TON!!!
I guess this may be permission issue.
Yes I actually believe it was. Odd but true – tried on a different system and it worked as intended. Combined with freebie .CSV viewer and its one nice tool.
Thanks and keep up good work! 🙂
hi guys, have you checked if it is permission issues?
Check this out http://blog.nextxpert.com/2011/01/11/how-to-delegate-access-to-bitlocker-recovery-information-in-active-directory/
Does not work with a German Windows Server 2012 R2.
No way, it always shows up “Ops !!! Your OU Filter seems wrong… Try again, Example is : “OU=Workstaions,OU=NYC,DC=Contoso,DC=COM”.
We definitely used the correct OU and DCs.
Any idea what else could cause the problem?
Thanks a lot,
Armin
Not sure 🙁
Found Quest Active Directory PowerShell command here: http://www.powershelladmin.com/wiki/Quest_activeroles
and even the older version worked for me.
Needed to enter the following to get past some error about digital signing:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Also it seems the script has changed or more likely I don’t know what I’m doing but I couldn’t get the examples to work as shown. Just got errors. Again, I don’t know what I’m doing! 🙂
But simply entering the following, prompted for a path and then it worked like a charm.
.get-adbitlockerinfo.ps1
use the powershell intellisense to get the command parameters. example $filepath = -file ad -OrganizationalUnit = -OU
Great script! It is VERY helpful. I have one issue. If I run the script without parameters and fill in the filepath variable, it works. With this, I am not able to specify an OU. If I list the parameters per the examples, I get an error (listed below). Did I miss something in the setup or permissions?
PS C:utility> .get-ADBitLockerInfo.ps1 $filepath c:utilityBitlocker -Organiz
ationalUnit “OU=Raleigh,DC=abc,DC=com”
C:utilityGet-ADBitLockerInfo.ps1 : A parameter cannot be found that matches
parameter name ‘OrganizationalUnit’.
At line:1 char:58
+ .get-ADBitLockerInfo.ps1 $filepath c:utilityBitlocker -OrganizationalUnit
“OU …
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADBitLockerInfo.ps1],
ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Get-ADBitLockerInfo.ps1
-OU
Looking forward to using this script, not looking forward to installing an unnecessary PS tool from a bygone era. While the Quest AD PS tools had their place, MS native PS has grown to the point where this should not be necessary. Any chance you are going to revisit this masterful script and update it to run nativly in MS PS *without* the requirement for a defunct set of tools?
I wrote this long time ago, but I understand your concern. I think I used Quest PowerShell Module to get the BitLocker recovery object using [Get-QADObject -LdapFilter ‘(objectcategory=msFVE-RecoveryInformation)’]. That’s it. If you know how to retrieve such object from native commands and with [cn,name,type,msFVE-RecoveryGuid,msFVE-RecoveryPassword,ParentContainer,instanceType,objectCategory,objectClass] properties, then it is matter of replacing that one line of code.
Btw, I do not use anything now that is not native commands 🙂 Thanks for sharing you thoughts