Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1998
  • Last Modified:

Gather Bitlocker Keys After Encryption

We are in the process of upgrading our clients to Windows 7 x64. All notebooks have Bitlocker encryption enabled as part of the build Task Sequence in MDT.

We just realised today that a large number of notebook clients (200+) have been encrypted whilst in the wrong OU in Active Directory. Therefore they have not received the Bitlocker GPO telling them only to encrypt if they can save their Recovery Key to AD. The BitLocker Recovery tab for most of these computers is empty.

Is there any way I can save the Bitlocker Recovery information to AD after the client has been encrypted?  
I really need to script this and run it remotely due to the number of clients already out there with encryption enabled.

I found some info blog post here... and tried to push the script via SCCM. It ran successfully but no info appeared in AD.
0
mikevr6
Asked:
mikevr6
  • 6
  • 5
1 Solution
 
McKnifeCommented:
Hi.

Did you try to run the commands manually (not the vbs, only the two lines manage-bde...) and did it return "Recovery information was successfully backed up to Active Directory" ?
0
 
mikevr6Author Commented:
Hi,

Yes when I run the two manage-bde commands the keys are successfully backed-up to AD.
0
 
McKnifeCommented:
So that way, the BL recov. tab is populated? Or do the commands run successful but the BL recov. tab remains empty? If populated, you need to analyse that VB script. Maybe that script is language specific.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
mikevr6Author Commented:
By running the manage-bd commands, I am able to populate the BitLocker Recovery tab in AD. But I cannot logon to every machine individually and do this.
So the script should be able to do this for me. I've tried it now via SCCM running with a Domain Admin account and via GPO Startup script.
cscript save_bitlocker_key.vbs
0
 
McKnifeCommented:
Ok.
I asked you to think about language specific problems with the script - already ruled that out?
If yes, if I were you, I would try to put the two working lines into a batch. Something like
manage-bde.exe -protectors -get c:|findstr ID >%temp%\ID.txt would write two lines to a temporary file [example output follows]:
 ID: {7AFDFC70-CADA-4363-90F8-F0B7ACA84287}
 ID: {611DD09D-AEE2-49B1-ADAD-C40E900949BC}

The second line is the ID we need. IF I am not mistaken, it should not matter if we continue our script by simply using both lines in this for loop:
for /f %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -%%a

Should work, sorry, I cannot test it here as we don't have bitlocked win 7 here.
0
 
mikevr6Author Commented:
Sorry I don't understand the "Language Specific" part of your question. Isn't this just native vbscript for Windows? Pardon my ignorance. I'm not a scripting expert.

I created the batch file as you suggested. The first part runs fine and creates an ID.txt file containing the 2 strings.
The second part runs twice and on both occassions looks like it is inserting only the "-ID:" part of the string in the command.
I've attached a screengrab of the output.

backupkeys.bat.txt

Sample Output
0
 
mikevr6Author Commented:
The Output file contained two lines.
 ID: {CA75D4CD-624B-4434-A69A-FEAD983CA963}
 ID: {55DED193-ED18-4F0A-A841-EE1812E2C717}


The space between ID: and the rest of the string was throwing it off.

I then modified the second line of the script like so:

for /f "tokens=1,2" %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b

Result! I now have a batch file I can use to save the keys to AD. It's the end of the day now, so I will test tomorrow. The full batch looks like this.

manage-bde.exe -protectors -get c:|findstr ID >%Temp%\ID.txt

for /f "tokens=1,2" %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b

Sample Output
0
 
McKnifeCommented:
Yup. I missed the ":" in the output ... ;)
0
 
McKnifeCommented:
Tested already?
0
 
mikevr6Author Commented:
Actually. I realised I had configured the original VB script from Microsoft incorrectly. The script was on a share that had incorrect permissions.
So this works when configured as a GPO Startup Script (running as System)
Technet Blog Post

And also the batch file. Created by McKnife and edited by me also works.

manage-bde.exe -protectors -get c:|findstr ID >%Temp%\ID.txt

for /f "tokens=1,2" %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b

So case closed and points awarded to McKnife. Muchos Gracias.
0
 
mikevr6Author Commented:
Thanks for the help. Always good to have a sanity check. :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now