Powershell: Save Bitlocker key Information to Active Directory for existing devices

Bitlocker Keys should be saved to Active Directory automatically. However, in some cases, we would need to save bitlocker keys manually to Active Director.

PowerShell can help in saving current bitlocker information in AD.

The Get-BitlockerVolume is the main command we will be using for backing up the key. By adding the -MountPoint parameter it allows us to choose which drive we want to work with.

By saving the command above to variable it allows us to save certain elements that were outputted.

$BKEY = Get-BitlockerVolume -MountPoint “C:”

Now need to get the recovery key and backup the key up to AD. This can be easily achieve by using the Backup-BitlockerKeyProtector command.

Backup-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BKEY.KeyProtector[1].KeyProtectorId

The above command will backup the key that was presented within our variable we created in the step before. It will backup the out from KeyProtectorID attribute and copy back to AD. The full command is below:

$BKEY = Get-BitLockerVolume -MountPoint “C:”

Backup-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BKEY.KeyProtector[1].KeyProtectorId

Putting all in a PowerShell script (Copy and save as .ps1) so that it can be used in group policy or SCCM

$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
foreach($keyProtector in $BLV.KeyProtector){
if($keyProtector.KeyProtectorType -eq “RecoveryPassword”){
}$result = Backup-BitLockerKeyProtector -MountPoint “$($env:SystemDrive)” -KeyProtectorId $KeyProtectorID
return $true
return $false


Categories: Microsoft, PowerShell

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: