1

long time lurker first time posting. I've been dabbling in PowerShell again after not using it for quite a while. I'm currently trying to make a script that enables Bitlocker, and backs up the recovery key to the desktop. I'm finding that it enables Bitlocker fine, but the recovery key on the desktop doesn't show the recovery key? Here is the script so far:

#Test Registry paths before trying to modify
Test-Path HKLM:\SOFTWARE\Policies\Microsoft\FVE

#Change Registry keys to allow BitLocker without TPM and with additional authentication

#Check EnableBDEWithNoTPM value is correct, if not set it to be correct value.
Get-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -name "EnableBDEWithNoTPM"
if($val.EnableBDEWithNoTPM -ne 1)
{
Set-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -Name "EnableBDEWithNoTPM" -value 1
}

#Check UseAdvancedStartup value is correct, if not set it to be correct value.
Get-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -name "UseAdvancedStartup"
if($val.UseAdvancedStartup -ne 1)
{
Set-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -Name "UseAdvancedStartup" -value 1
}

#Check UseTPM value is correct, if not set it to be correct value.
Get-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -name "UseTPM"
if($val.UseTPM -ne 2)
{
Set-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -Name "UseTPM" -value 2
}

#Check UseTPMKey value is correct, if not set it to be correct value.
Get-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -name "UseTPMKey"
if($val.UseTPMKey -ne 2)
{
Set-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -Name "UseTPMKey" -value 2
}

#Check UseTPMKeyPIN value is correct, if not set it to be correct value.
Get-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -name     "UseTPMKeyPIN"
if($val.UseTPMKeyPIN -ne 2)
{
Set-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -Name "UseTPMKeyPIN" -value 2
}

#Check UseTPMPIN value is correct, if not set it to be correct value.
Get-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -name "UseTPMPIN"
if($val.UseTPMPIN -ne 2)
{
Set-ItemProperty -Path hklm:\SOFTWARE\Policies\Microsoft\FVE -Name "UseTPMPIN" -value 2
}

#Prompt the user to enter a password, which will be stored as a string and used to set Bitlocker password
$pass = Read-Host 'Please set new password' -AsSecureString

#Enable BitLocker on Drive C: with password set by user and encrypt used space only.
Enable-BitLocker -MountPoint "C:" -Password $pass -EncryptionMethod Aes256 -UsedSpaceOnly -PasswordProtector

#Generate Recovery Key and store in C:\Recovery
Get-BitLockerVolume | Enable-BitLocker -EncryptionMethod Aes256 -RecoveryKeyPath "C:\Recovery" -RecoveryKeyProtector

#Save Recovery Key to C:
(Get-BitLockerVolume -MountPoint C:).KeyProtector > $env:UserProfile\Desktop\BitLocker_Recovery_Key.txt

When I added this part:

    Get-BitLockerVolume | Enable-BitLocker -EncryptionMethod Aes256 -RecoveryKeyPath "C:\Recovery" -RecoveryKeyProtector

The recoverykey.txt file that generates on the desktop has the part for "Recovery Key" but it's blank, and this line also causes an error stating that I need to restart to start Bitlocker before it can run.

Can anyone give me some pointers on why the recovery key is missing in the .txt and if I've gone wrong anywhere?

Thanks.

Oli T
  • 11
  • 1
  • 2
  • In the example they provide here: https://technet.microsoft.com/en-us/library/jj649837(v=wps.630).aspx there is a trailing backslash in the RecoveryKeyPath (for you: "C:\Recovery\" instead of "C:\Recovery"). Might it be the source of your problem? What's the content of your Recovery folder? Do you have a Recovery.txt file at root on your C: drive? – David Brabant Aug 18 '16 at 13:42
  • Hey David, the recovery folder itself doesn't have any text files with the recovery key in and the last line of the code that attempts to put the recovery key file on the desktop does work, however inside the line for "Recovery Key:" is blank, where from what I've seen this is meant to include a long numeric key to use for recovery. – Oli T Aug 18 '16 at 13:44
  • Show content of `BitLocker_Recovery_Key.txt` file. Mine output for `(Get-BitLockerVolume -MountPoint C:).KeyProtector` does not have part for "Recovery Key". – user4003407 Aug 18 '16 at 17:20

1 Answers1

0

I know this is old but the powershell above just helped me. Thanks!

I think the reason it is not saving is that you need to pick a network drive. When you do this through the bitlocker gui, it won't let you save the key on a drive you are encrypting w/ bitlocker.

cornasdf
  • 131
  • 5