Select Page

How to backup BitLocker keys and save the day

How to backup BitLocker keys and save the day
Advertisement

BitLocker is a great out of the box encryption tool for disk volumes. If you know about this technology, you realize that the most challenging part in deployment BitcLocker is the disk recovery key and how to backup it up. It is always a challenging thing when talking about encryption, to make sure you the the decryption key. Decryption keys never expire and should always be archived somewhere. How to backup BitLocker Keys is a fundamental piece of knowledge that you should look at and consider if you are deploying BitLocker.

Well, Microsoft did a great job documenting different ways for doing that. One of those methods is to backup keys to Active Directory. Simple, easy, even you can control this behavior via Group Policies.

Problem

Let me describe the problem with BitLocker AD Key Backup and Recovery. Imagine that you have enabled BitLocker key recovery in Active Directory. This will simply create an entry per volume on a specific multi value attribute in the computer object in Active Directory. So if you have a computer with two disks, and both are encrypted with BitLocker, then the computer object of that computer will have two entries representing the volume encryption key for each disk

backup BitLocker 2

Things can turn nasty if you deleted that computer object from Active Directory. Think about this scenario also. A computer has C drive with O.S and D drive for data, both are encrypted with BitLocker. You decided to format the C drive and join it again to the domain, so you formatted the C drive, deleted the computer object AD, and you joined it to the domain again. Now think about the recovery key for the D drive in this scenario.  It is lost the moment you deleted the computer object.

Bad things happen and believe me that you will always find your self in a situation where computer objects get deleted, even as part of organized cleanup process. You will end up, getting back to AD restore or AD recycle bin, and believe me, they are not that easy to deal with.

How to backup BitLocker Keys

What actually makes me sleep at night, is an insurance that what ever happen in Active Directory, I can always recover disks encrypted with BitLocker. So I created a simple script, that will go to each computer account in Active Directory, read BitLocker volume recovery keys, and store that data in a csv file. I even made a schedule task that will run the script every week, and through a csv file for those recovery keys. If something went wrong, and I want to recover data on an encrypted disk, I can always get back to the latest csv file.

The script need to be run using an account that has read access to computer objects and BitLocker recovery information. You can read this article that shows how to delegate access to an account, so that it can read BitLocker recovery information.

Note : The machine from which the script will run, should have Quest Active Directory PowerShell extensions.

Script Output

The “How to backup BitLocker Keys” script will output a csv file with Object Name, Computer Name, and other attributes. The most important one is the (Recovery Password) field. This is the one that you can use to unlock a BitLocker volume.

backup BitLocker 4

Download the script 

The “How to backup BitLocker Keys” script can be download the script from Microsoft TechNet Gallery.

Examples

 Collect information from the whole directory and save the output CSV file to C:\Scripts

 Collect information from the whole directory and save the output CSV file current directory

 Collect information from computers under a certain AD Organizational Unit (OU), and save the output CSV file to C:\Scripts

About The Author

Ammar Hasayen

Ammar is a digital transformer, cloud architect, public speaker and blogger. He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing. His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional. Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

17 Comments

  1. Ray

    HI Ammar, Is it possible to import a file with computer name, so this script only query bitlocker info according to some computers not the entire AD?

    thanks!

    Reply
  2. ammar hasayen

    this requires redesigning the script as i start by looking at AD-Objects with specific type. Can you tell me more about your need in details pls

    Reply
  3. Keith

    Ammar, thanks for the script, I am having an issue with it where the script runs fine, no errors, but the recovery key column is completely blank. Any ideas what I might be doing wrong?

    Keith

    Reply
    • ammar hasayen

      Hi im travelling for a week and then will look at this

      Reply
    • E.T.

      I actually have same issue. Its not essential but would be super nice to have it working as intended. Thanks a TON!!!

      Reply
        • Eugene

          Yes I actually believe it was. Odd but true – tried on a different system and it worked as intended. Combined with freebie .CSV viewer and its one nice tool.

          Thanks and keep up good work! 🙂

          Reply
  4. ammar hasayen

    hi guys, have you checked if it is permission issues?

    Reply
  5. Armin

    Does not work with a German Windows Server 2012 R2.
    No way, it always shows up “Ops !!! Your OU Filter seems wrong… Try again, Example is : “OU=Workstaions,OU=NYC,DC=Contoso,DC=COM”.
    We definitely used the correct OU and DCs.
    Any idea what else could cause the problem?
    Thanks a lot,
    Armin

    Reply
  6. kayem68

    Found Quest Active Directory PowerShell command here: http://www.powershelladmin.com/wiki/Quest_activeroles
    and even the older version worked for me.

    Needed to enter the following to get past some error about digital signing:
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

    Also it seems the script has changed or more likely I don’t know what I’m doing but I couldn’t get the examples to work as shown. Just got errors. Again, I don’t know what I’m doing! 🙂

    But simply entering the following, prompted for a path and then it worked like a charm.
    .get-adbitlockerinfo.ps1

    Reply
  7. Joakim Tomren

    use the powershell intellisense to get the command parameters. example $filepath = -file ad -OrganizationalUnit = -OU

    Reply
  8. Tony

    Great script! It is VERY helpful. I have one issue. If I run the script without parameters and fill in the filepath variable, it works. With this, I am not able to specify an OU. If I list the parameters per the examples, I get an error (listed below). Did I miss something in the setup or permissions?

    PS C:utility> .get-ADBitLockerInfo.ps1 $filepath c:utilityBitlocker -Organiz
    ationalUnit “OU=Raleigh,DC=abc,DC=com”
    C:utilityGet-ADBitLockerInfo.ps1 : A parameter cannot be found that matches
    parameter name ‘OrganizationalUnit’.
    At line:1 char:58
    + .get-ADBitLockerInfo.ps1 $filepath c:utilityBitlocker -OrganizationalUnit
    “OU …
    + ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-ADBitLockerInfo.ps1],
    ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Get-ADBitLockerInfo.ps1

    Reply
    • Joakim Tomren

      -OU

      Reply
  9. Craig TAte

    Looking forward to using this script, not looking forward to installing an unnecessary PS tool from a bygone era. While the Quest AD PS tools had their place, MS native PS has grown to the point where this should not be necessary. Any chance you are going to revisit this masterful script and update it to run nativly in MS PS *without* the requirement for a defunct set of tools?

    Reply
    • Ammar Hasayen

      I wrote this long time ago, but I understand your concern. I think I used Quest PowerShell Module to get the BitLocker recovery object using [Get-QADObject -LdapFilter ‘(objectcategory=msFVE-RecoveryInformation)’]. That’s it. If you know how to retrieve such object from native commands and with [cn,name,type,msFVE-RecoveryGuid,msFVE-RecoveryPassword,ParentContainer,instanceType,objectCategory,objectClass] properties, then it is matter of replacing that one line of code.

      Btw, I do not use anything now that is not native commands 🙂 Thanks for sharing you thoughts

      Reply

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hi, I’m Ammar Hasayen

Ammar-New-MVP

About Me

Cloud Architect | Cybersecurity | CISSP | Microsoft MVP | Pluralsight Author | Book Author | International Speaker | World Explorer | @ammarhasayen

 

LinkedIn Profile

My Pluralsight Course

Speaking at Microsoft Ignite Dubai

Ammar Hasayen Speaker Ignite

Pin It on Pinterest