We currently use Bitlocker on our laptops here at work. The helpdesk are responsible for backing the Bitlocker key up to AD when they build the system. We ran into an issue recently where a user had a hardware problem that set Bitlocker off, so it won't go past the screen prompting for the recovery key.
No problem, we have had this before, except that when I look in AD there's no key, which means somebody forgot to back it up. So I randomly click on a handful of other laptop objects and find another not backed up. So this has me thinking we need to seriously look into this before it happens again (on a higher profile employee).
Instead of going through the entire laptop OU and clicking on the Bitlocker recovery tab, is there a way in PowerShell to check that tab and see if anything is in there? I wouldn't even need to know the key there, just to know if any data is there which would show it's been backed up. If not it's not the end of the world, but I'd much rather be able to do that with a script than manually. 🙂
I've been looking online but so far found nothing exactly what I want, usually it's much more complex than I'm needing.
Thanks for any help you can give!
Best Answer
As MDMara points out, Your Doing It Wrongâ„¢.
Enable the GPO setting to backup the BitLocker keys to AD automatically. BitLocker will backup the key first, so it's not possible to get into the situation you have now. There's quite a few other BitLocker GPO Settings too.
You'll also want the BitLocker Recovery Password Viewer for Active Directory Users and Computers that allows you to see the BitLocker Keys in AD.
Not to get too preachy: Before you go endeavoring into new technologies which might lock people out of their computers permanently, you should really read all the documentation and best practices. MS has published volumes on BitLocker to help people prevent mistakes like this.