Trying to back up my Bitlocker Key to ADDS Through Script

1.1k views Asked by At

I'm trying to automatize the process of storing BitLocker Keys to ADDS.

I wanna be able to run the following script at logon, in order to do that, as the OS is deployed through WDS which already encrypts the drive:

$BitVolume = Get-BitLockerVolume -MountPoint $env:SystemDrive

$RecoveryKey = $BitVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }

Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID

BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID

I always get access denied as this has to run as admin... Is there any command I can use prior the code to run it as admin? I've googled but I found no useful info to actually do this...

1

There are 1 answers

0
Craig On

As for the access denied part... as was already sated, you need to start your PowerShell session as an admin. However, as a point of note about your code, you are only targeting the system/os volume... which may not be the only volume that's encrypted. If you want to programmatically backup all of the encrypted volumes, may I suggest one of the two following options...

One-liner:

Get-BitLockerVolume | where {$_.VolumeStatus -like "FullyEncrypted"} | foreach {foreach($Key in $_.KeyProtector){if($Key -like "RecoveryPassword"){Backup-BitLockerKeyProtector -MountPoint $_.mountpoint -KeyProtectorId $key.KeyProtectorId}}}

Or, if you prefer something a little bit easier to read...

Script Block:

foreach ($BLV in Get-BitLockerVolume){
    if ($BLV.VolumeStatus -like "FullyEncrypted"){
        foreach ($Key in $BLV.KeyProtector) {
            if ($Key -like "RecoveryPassword") {
                Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorId $Key.KeyProtectorId
            }#if
        }#foreach
    }#if
}#foreach

Neither is super eloquent... but, with this method it will grab all of the encrypted volumes on the system and add them to AD. You would need to modify the code slightly to add the AAD backup option you cited of course.

P.S. I'm only responding because I recently had to solve this problem of multi-volume backups as a one-liner solution and figured I would share it since your post was a top search result when I looked for a pre-canned solution. Cheers! :)