Trying to back up my Bitlocker Key to ADDS Through Script

Question

I'm trying to automatize the process of storing BitLocker Keys to ADDS.

I wanna be able to run the following script at logon, in order to do that, as the OS is deployed through WDS which already encrypts the drive:

$BitVolume = Get-BitLockerVolume -MountPoint $env:SystemDrive

$RecoveryKey = $BitVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }

Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID

BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID

I always get access denied as this has to run as admin... Is there any command I can use prior the code to run it as admin? I've googled but I found no useful info to actually do this...

Just right-click the script and say Run As Administrator. You can't programmatically run a script as Administrator; that would be a massive security flaw. — SomethingDark, May 06 '22 at 21:01
Have a look at `runas /?` It still requires you to authenticate as it is required by UAC. — Gerhard, May 07 '22 at 06:36
So there is no way to state a command before the script or even automatically run it at startup logon as admin? — Matias Huartamendia, May 07 '22 at 21:25

score 2 · Answer 1 · answered Aug 18 '22 at 06:14

As for the access denied part... as was already sated, you need to start your PowerShell session as an admin. However, as a point of note about your code, you are only targeting the system/os volume... which may not be the only volume that's encrypted. If you want to programmatically backup all of the encrypted volumes, may I suggest one of the two following options...

One-liner:

Get-BitLockerVolume | where {$_.VolumeStatus -like "FullyEncrypted"} | foreach {foreach($Key in $_.KeyProtector){if($Key -like "RecoveryPassword"){Backup-BitLockerKeyProtector -MountPoint $_.mountpoint -KeyProtectorId $key.KeyProtectorId}}}

Or, if you prefer something a little bit easier to read...

Script Block:

foreach ($BLV in Get-BitLockerVolume){
    if ($BLV.VolumeStatus -like "FullyEncrypted"){
        foreach ($Key in $BLV.KeyProtector) {
            if ($Key -like "RecoveryPassword") {
                Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorId $Key.KeyProtectorId
            }#if
        }#foreach
    }#if
}#foreach

Neither is super eloquent... but, with this method it will grab all of the encrypted volumes on the system and add them to AD. You would need to modify the code slightly to add the AAD backup option you cited of course.

P.S. I'm only responding because I recently had to solve this problem of multi-volume backups as a one-liner solution and figured I would share it since your post was a top search result when I looked for a pre-canned solution. Cheers! :)

Trying to back up my Bitlocker Key to ADDS Through Script

1 Answers1