Get BitLocker Recovery Information from AD Using PowerShell

Get BitLocker Recovery Information from AD Using PowerShell

Many organizations are taking advantage of Microsoft’s BitLocker drive encryption software that is built into Windows Vista, Windows Server 2008, and later versions of Windows. To ensure that encrypted drives are accessible to authorized members of organizations, Microsoft has provided the ability to back up BitLocker recovery information to Active Directory (AD). For more information about the details, see Backing Up BitLocker and TPM Recovery Information to AD DS in the TechNet documentation.

Getting BitLocker Recovery Information from the GUI

To assist administrators in managing BitLocker-encrypted computers, Microsoft has provided the BitLocker Recovery Password Viewer feature. This feature (available in Remote Server Administration Tools) adds two capabilities to the Active Directory Users and Computers (ADUC) console: First, it adds the BitLocker Recovery tab to a computer’s property page; and second, it adds the Find BitLocker Recovery Password menu item to the domain object’s right-click context menu. Figure 1 shows the BitLocker Recovery tab for a computer object.

BitLocker recovery information for a computer is stored in one or more msFVE-RecoveryInformation child objects (i.e., a computer object is the msFVE-RecoveryInformation object’s parent). You can view these AD objects by using the ADSI Edit console (adsiedit.mmc) and navigating to a computer object, as shown in Figure 2. Figures 1 and 2 show two different views of the BitLocker recovery information for the same computer object.

If you need to access a BitLocker-encrypted drive, Windows displays the password ID at boot time. To find the recovery password associated with a password ID, right-click the domain object in the Active Directory Users and Computers console and select Find BitLocker recovery password, as shown in Figure 3.

Figure 4 shows the Find BitLocker recovery password dialog box. Enter the first 8 characters of the BitLocker password ID, and the dialog box will display the recovery password.

Unfortunately, these features only work from ADUC, and Microsoft did not provide PowerShell equivalents.

Getting BitLocker Recovery Information from PowerShell

Since Microsoft did not provide PowerShell equivalents for the BitLocker Recovery Password Viewer feature, I wrote the Get-BitLockerRecovery.ps1 script to rectify this shortcoming. The script’s syntax is as follows:

Get-BitLockerRecovery [-Name] [-Domain ] [-Server ] [-Credential ]

or

Get-BitLockerRecovery -PasswordID [-Domain ] [-Server ] [-Credential ]

The script uses two parameter sets that determine its behavior:

  • If you specify a list of one or more computer names, or if you pipe input to the script, the script will display the BitLocker recovery information for the named computer(s). The -Name parameter corresponds to viewing the properties of a computer object and selecting the BitLocker Recovery tab in ADUC. The script assumes the ‑Name parameter as a default, so the ‑Name parameter itself is optional.
  • If you specify the -PasswordID parameter instead, you must provide an eight-character Password ID instead. The -PasswordID parameter corresponds to the Find BitLocker recovery password command when right-clicking on the domain object in ADUC.

The ‑Domain parameter specifies a domain name if the computer(s) are not in the current domain, and the ‑Server parameter names a specific domain controller from which you want to retrieve the BitLocker recovery information.

By default, only members of the Domain Admins group have access to view BitLocker recovery information, so if you run Get-BitLockerRecovery.ps1 using an account that does not have sufficient access, the script will output N/A for the TPMRecoveryInformation, Date, PasswordID, and RecoveryPassword properties. To work around this, you can run your PowerShell session using an alternate account that has permissions, or you can use the -Credential parameter and specify alternate credentials.

The script outputs objects with the properties listed in Table 1.

In addition to the computer name, password ID, and recovery password, Get-BitLockerRecovery.ps1 also provides the distinguishedName and TPMRecoveryInformation properties. The distinguishedName property helps you pinpoint the computer object’s location in AD, and the TPMRecoveryInformation property lets you know whether the computer has backed up TPM recovery information to AD. Figure 5 shows an example of the output object.

Example Commands

1. Get BitLocker recovery information for a single computer:

 

Get-BitLockerRecovery computer1

 

2. Get BitLocker recovery information for a list of computers:

Get-BitLockerRecovery "computer1","computer2"

or

"computer1","computer2" | Get-BitLockerRecovery

3. Get BitLocker recovery information for computers in an OU:

Get-ADComputer -Filter { name -like "*" } `

  -SearchBase "OU=Sales,DC=fabrikam,DC=com" |

  Get-BitLockerRecovery

4. Get the BitLocker recovery information for a specific password ID:

Get-BitLockerRecovery -PasswordID B1FED823

 

5. Get BitLocker recovery information for all msFVE-RecoveryInformation objects in the current domain:

$filter = "(objectClass=msFVE-RecoveryInformation)"

Get-ADObject -LDAPFilter $filter | ForEach-Object {

  Get-ADPathname (Get-ADPathname $_.DistinguishedName `

  -Format X500Parent) -Format Leaf -ValuesOnly |

  Get-BitLockerRecovery

}

This command depends on the Get-ADPathname.ps1 script, which you can get from my Windows IT Pro article Use PowerShell to Handle Active Directory Paths. It retrieves the parent path of each msFVE-RecoveryInformation object (i.e., all computer objects that have msFVE-RecoveryInformation child objects), retrieves the leaf element of the path of each of these (values only, i.e., only the computer names without the CN= prefix), and pipes each computer name to Get-BitLockerRecovery.ps1.

BitLocker Recovery Information without the GUI

The BitLocker Recovery Password Viewer feature is an essential tool, but it only works in the Active Directory Users and Computers console. Use Get-BitLockerRecovery.ps1 to overcome this limitation and retrieve BitLocker recovery information from the PowerShell prompt.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish