Trigger Active Directory Bitlocker Key Backup
Hello,
Bitlocker has features that allow you to backup the keys in your Active Directory, or to a SQL database if you have access to Microsoft Desktop Optimization Pack (MDOP). Microsoft Bitlocker Administration and Monitoring (MBAM from MDOP) is the tool coupled to the SQL database. Today, we’ll talk about the Active Directory option.
If you have the right Active Directory schema (Windows Server 2008 R2 and newer – Version >47), there is the Bitlocker attributes in it (msFVE-*), those are a prerequisites for an Active Directory backup of the keys.
Trigger Active Directory Bitlocker Key Backup – Check Prerequisites
You can check the presence of the required AD attributes in the schema with this PowerShell line :
Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -LDAPFilter "(name=ms-fve*)"
Trigger Active Directory Bitlocker Key Backup – Prerequisites
Trigger Active Directory Bitlocker Key Backup – PowerShell
You can trigger the process with those PowerShell lines :
(Get-WmiObject -namespace 'Rootcimv2securityMicrosoftVolumeEncryption' -ClassName 'Win32_Encryptablevolume') | % {
New-Object -TypeName PSObject -Property @{
'PSComputerName' = $_.PSComputerName
'DriveLetter' = $_.DriveLetter
'EncryptionMethod' = $_.EncryptionMethod
'IsVolumeInitializedForProtection' = $_.IsVolumeInitializedForProtection
'PersistentVolumeID' = $_.PersistentVolumeID
'ProtectionStatus' = $_.ProtectionStatus
'VolumeKeyProtectorID' = $_.GetKeyProtectors(3).VolumeKeyProtectorID
'BackupRecoveryInformationToActiveDirectory' = $_.BackupRecoveryInformationToActiveDirectory($_.VolumeKeyProtectorID).ReturnValue
}
}
The WMI query will get all the bitlocked volumes on the computer, and then, for each of them, call the “BackupRecoveryInformationToActiveDirectory” function, that will upload the keys to your Active Directory.
Note : You can target a remote computer with the -ComputerName parameter of “Get-WMIObject“.