Active Directory - Storing Bitlocker Recovery Info
A recent quick project was to enable storage of Bitlocker recovery data within Active Directory, instead of our moderately secure encrypted drive of text-files.
This is actually a really easy process (assuming you only have Windows 7 / 2008R2 and up on the domain), only needing to make a few adjustments to ACLs on ADComputer objects (allowing Computers to write to their own objects).
The Technet article describing this, along with the more convoluted method involved in sorting this out for anything below 2008R2 is here: Backing Up BitLocker and TPM Recovery Information to AD DS
Unfortunately, it's a bit of a hassle (very minor hassle, anyway) to load up ADSIEdit.msc, and navigate around to the correct object every time you want to retrieve a key... so I wrote a quick Powershell script to replace the VBScript linked in the above article.
param(
[Alias("Computer","Name")][string[]]$Computers,
[Parameter(Mandatory=$true)][PSCredential]$Credential
)
function Get-BitlockerRecovery($Computers, $Credential) {
$report = @()
foreach ($Computer in $Computers) {
$objects = Get-ADObject -Filter * -SearchBase (Get-ADComputer $Computer).DistinguishedName -Credential $Credential -Properties * | Where -Property ObjectClass -eq msFVE-RecoveryInformation
foreach ($key in $objects) {
$keyInfo = "" | Select Computer, RecoveryID, RecoveryPassword
$keyInfo.Computer = $Computer
$key.Name -match ".*\{(.*)\}" | Out-Null
$keyInfo.RecoveryID = $matches[1]
$keyInfo.RecoveryPassword = $key."msFVE-RecoveryPassword"
$report += $keyInfo
}
}
return $report
}
Get-BitlockerRecovery -Computers $Computers -Credential $Credential
I'm sure there's probably a nicer way to do it, and that this could be compressed down to three lines or so - but I think that's quite legible.