3

We currently use Bitlocker on our laptops here at work. The helpdesk are responsible for backing the Bitlocker key up to AD when they build the system. We ran into an issue recently where a user had a hardware problem that set Bitlocker off, so it won't go past the screen prompting for the recovery key.

No problem, we have had this before, except that when I look in AD there's no key, which means somebody forgot to back it up. So I randomly click on a handful of other laptop objects and find another not backed up. So this has me thinking we need to seriously look into this before it happens again (on a higher profile employee).

Instead of going through the entire laptop OU and clicking on the Bitlocker recovery tab, is there a way in PowerShell to check that tab and see if anything is in there? I wouldn't even need to know the key there, just to know if any data is there which would show it's been backed up. If not it's not the end of the world, but I'd much rather be able to do that with a script than manually. :)

I've been looking online but so far found nothing exactly what I want, usually it's much more complex than I'm needing.

Thanks for any help you can give!

Don
  • 838
  • 8
  • 19
  • 33
  • 3
    `The helpdesk are responsible for backing the Bitlocker key up to AD when they build the system.` - Not an answer to your question, but you can enforce the backup of the key automatically to AD via GPO. The laptop will not begin encryption until the key is there. – MDMarra May 03 '12 at 13:33

2 Answers2

3

As MDMara points out, Your Doing It Wrong™.

Enable the GPO setting to backup the BitLocker keys to AD automatically. BitLocker will backup the key first, so it's not possible to get into the situation you have now. There's quite a few other BitLocker GPO Settings too.

You'll also want the BitLocker Recovery Password Viewer for Active Directory Users and Computers that allows you to see the BitLocker Keys in AD.

Not to get too preachy: Before you go endeavoring into new technologies which might lock people out of their computers permanently, you should really read all the documentation and best practices. MS has published volumes on BitLocker to help people prevent mistakes like this.

Community
  • 1
Chris S
  • 77,945
  • 11
  • 124
  • 216
  • I was thinking we had tried that, but had some kind of problem with it. Now would be a good time to revisit the topic and do it right. Thank you both for the direction, I'll start digging into it right now! – Don May 03 '12 at 13:46
  • 1
    It's possible you've got something crazy going on that would prevent you from using it; but it's what we use internally, works great for us. – Chris S May 03 '12 at 13:47
  • 1
    I second that. We use the same process here without issue. – MDMarra May 03 '12 at 14:04
  • Maybe one of you can help me compare what we have different. Currently I have it set in the GPO - "Store BitLocker recovery information in AD Domain Services" as enabled. Require BitLocker backup to AD DS checked, Recovery passwords and key packages selected. I also have TPM enabled via it's key, "Turn on TPM backup to Active Directory Domain Services", checkbox checked "Require TPM backup to AD DS". When we build a machine it's with MDT and enables bitlocker at that point, basically the last step in the process. Once the machine is built the computer is moved to the laptop OU...ahhh – Don May 03 '12 at 14:42
  • maybe that's the problem... since the staging OU doesn't have the bitlocker settings set on it. Let me set the staging OU GPO up with the same as the laptop GPO. Could be the culprit. :) – Don May 03 '12 at 14:43
  • 1
    If the machine isn't in an OU when the policy is applied, then it's not going to get that policy. – MDMarra May 03 '12 at 16:01
  • 1
    Looks like this worked just fine. I applied the GPO to the staging OU and selected AD during the MDT phase, worked like a charm. I believe we tried them both when we set the system up, but not at the same time. ;) Thanks! – Don May 03 '12 at 16:48
  • Although I agree that there is a better way to setup, an answer to the actual question would still be useful. There are a number of scenarios where you may want to report all computers that haven't got bitlocker password backed up (e.g. identifying computers that need attention!) – dunxd May 26 '15 at 10:12
  • This does not answer the initial question "is there a way in PowerShell to check that tab and see if anything is in there?" – Matthias Sep 24 '18 at 11:43
0

I use following Powershell cmdlet to get list of computers with backed up bitlocker keys.

Get-ADObject -filter {objectclass -eq "msFVE-RecoveryInformation"} |select -expandproperty distinguishedname

I can't say what permissions you must have the least, but domain admin is enough(might be an overkill)

you can then parse the output

2 B
  • 29
  • 4