Bitlocker Keys should be saved to Active Directory automatically. However, in some cases, we would need to save bitlocker keys manually to Active Director.

PowerShell can help in saving current bitlocker information in AD.

The Get-BitlockerVolume is the main command we will be using for backing up the key. By adding the -MountPoint parameter it allows us to choose which drive we want to work with.

By saving the command above to variable it allows us to save certain elements that were outputted.

$BKEY = Get-BitlockerVolume -MountPoint “C:”

Now need to get the recovery key and backup the key up to AD. This can be easily achieve by using the Backup-BitlockerKeyProtector command.

Backup-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BKEY.KeyProtector[1].KeyProtectorId

The above command will backup the key that was presented within our variable we created in the step before. It will backup the out from KeyProtectorID attribute and copy back to AD. The full command is below:

$BKEY = Get-BitLockerVolume -MountPoint “C:”

Backup-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BKEY.KeyProtector[1].KeyProtectorId

Putting all in a PowerShell script (Copy and save as .ps1) so that it can be used in group policy or SCCM

try{
$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
$KeyProtectorID=””
foreach($keyProtector in $BLV.KeyProtector){
if($keyProtector.KeyProtectorType -eq “RecoveryPassword”){
$KeyProtectorID=$keyProtector.KeyProtectorId
break;
}
}$result = Backup-BitLockerKeyProtector -MountPoint “$($env:SystemDrive)” -KeyProtectorId $KeyProtectorID
return $true
}
catch{
return $false
}

Result

Categories: Microsoft, PowerShell

Tags: BitLocker, PowerShell