Gather Bitlocker Keys After Encryption

We are in the process of upgrading our clients to Windows 7 x64. All notebooks have Bitlocker encryption enabled as part of the build Task Sequence in MDT.

We just realised today that a large number of notebook clients (200+) have been encrypted whilst in the wrong OU in Active Directory. Therefore they have not received the Bitlocker GPO telling them only to encrypt if they can save their Recovery Key to AD. The BitLocker Recovery tab for most of these computers is empty.

Is there any way I can save the Bitlocker Recovery information to AD after the client has been encrypted?  
I really need to script this and run it remotely due to the number of clients already out there with encryption enabled.

I found some info blog post here... and tried to push the script via SCCM. It ran successfully but no info appeared in AD.
mikevr6Asked:
Who is Participating?
 
McKnifeCommented:
Tested already?
0
 
McKnifeCommented:
Hi.

Did you try to run the commands manually (not the vbs, only the two lines manage-bde...) and did it return "Recovery information was successfully backed up to Active Directory" ?
0
 
mikevr6Author Commented:
Hi,

Yes when I run the two manage-bde commands the keys are successfully backed-up to AD.
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
McKnifeCommented:
So that way, the BL recov. tab is populated? Or do the commands run successful but the BL recov. tab remains empty? If populated, you need to analyse that VB script. Maybe that script is language specific.
0
 
mikevr6Author Commented:
By running the manage-bd commands, I am able to populate the BitLocker Recovery tab in AD. But I cannot logon to every machine individually and do this.
So the script should be able to do this for me. I've tried it now via SCCM running with a Domain Admin account and via GPO Startup script.
cscript save_bitlocker_key.vbs
0
 
McKnifeCommented:
Ok.
I asked you to think about language specific problems with the script - already ruled that out?
If yes, if I were you, I would try to put the two working lines into a batch. Something like
manage-bde.exe -protectors -get c:|findstr ID >%temp%\ID.txt would write two lines to a temporary file [example output follows]:
 ID: {7AFDFC70-CADA-4363-90F8-F0B7ACA84287}
 ID: {611DD09D-AEE2-49B1-ADAD-C40E900949BC}

The second line is the ID we need. IF I am not mistaken, it should not matter if we continue our script by simply using both lines in this for loop:
for /f %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -%%a

Should work, sorry, I cannot test it here as we don't have bitlocked win 7 here.
0
 
mikevr6Author Commented:
Sorry I don't understand the "Language Specific" part of your question. Isn't this just native vbscript for Windows? Pardon my ignorance. I'm not a scripting expert.

I created the batch file as you suggested. The first part runs fine and creates an ID.txt file containing the 2 strings.
The second part runs twice and on both occassions looks like it is inserting only the "-ID:" part of the string in the command.
I've attached a screengrab of the output.

backupkeys.bat.txt

Sample Output
0
 
mikevr6Author Commented:
The Output file contained two lines.
 ID: {CA75D4CD-624B-4434-A69A-FEAD983CA963}
 ID: {55DED193-ED18-4F0A-A841-EE1812E2C717}


The space between ID: and the rest of the string was throwing it off.

I then modified the second line of the script like so:

for /f "tokens=1,2" %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b

Result! I now have a batch file I can use to save the keys to AD. It's the end of the day now, so I will test tomorrow. The full batch looks like this.

manage-bde.exe -protectors -get c:|findstr ID >%Temp%\ID.txt

for /f "tokens=1,2" %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b

Sample Output
0
 
McKnifeCommented:
Yup. I missed the ":" in the output ... ;)
0
 
mikevr6Author Commented:
Actually. I realised I had configured the original VB script from Microsoft incorrectly. The script was on a share that had incorrect permissions.
So this works when configured as a GPO Startup Script (running as System)
Technet Blog Post

And also the batch file. Created by McKnife and edited by me also works.

manage-bde.exe -protectors -get c:|findstr ID >%Temp%\ID.txt

for /f "tokens=1,2" %%a in (%temp%\ID.txt) do manage-bde -protectors -adbackup c: -id %%b

So case closed and points awarded to McKnife. Muchos Gracias.
0
 
mikevr6Author Commented:
Thanks for the help. Always good to have a sanity check. :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.