Author Posts

November 9, 2017 at 9:12 pm

I'm trying to build a script that can backup Bitlocker recovery keys from all Bitlocker protected volumes that the computer might have. I have been scratching my head with this.

This one works for OS drive in my test machine but fails to backup my data drive D recovery password to AD.

Get-BitLockerVolume | ForEach-Object {Backup-BitLockerKeyProtector -MountPoint $.MountPoint -KeyProtectorId $.KeyProtector[1].KeyProtectorId}

I noticed that the problem is this part: $.KeyProtector[1]

When I run Get-BitlockerVolume I can see that the KeyProtector property looks like this below. So the RecoveryPassword is stored in array index [0] for drive D and for [1] in drive C.

VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protection
Point Percentage Enabled Status
———- —– ———- ———— ———- ———— ———- ———-
OperatingSystem C: 126,40 FullyEncrypted 100 {Tpm, RecoveryPassword} On
Data D: 126,87 FullyEncrypted 100 {RecoveryPassword, Ext... True On

Question is how the heck I can modify my code to get all RecoveryPasswords from all possible Bitlocker protected drives that the computer might have?

November 10, 2017 at 3:18 am

error maybe, you need: $_. instead of $.

November 10, 2017 at 9:29 am

True but that was only a typo when copying code here

November 10, 2017 at 10:47 pm

I was able to get it working as I want. Now it will backup every Bitlocker Recovery Key to AD. Any ideas how to optimize the code to even better?

$BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} 

If ($BLV) {
    ForEach ($BLV in $BLVS) {

        $Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}

        Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $Key.KeyProtectorId 


Else {

    Write-Host "Nothing to backup" -ForegroundColor Magenta