Windows – Is it safe to delete old bitlocker keys from AD

active-directorybitlockerwindowswindows-server-2012

So I have a bunch of old bitlocker keys stored with some computer accounts (the msFVE-RecoveryInformation attribute):

Bitlocker has re-run multiple times and every time it re-encrypts it generates and backs up a new recovery password of course- so the "old" keys are no longer in use.

Is it safe to delete them or will that screw up something with the computer account?

Best Answer

If you're certain you do not need the recovery keys (e.g. You re-imaged or otherwise re-keyed) then you may safely delete them from the computer object.

Related Solutions

List of computers with BitLocker recovery keys

Go grab "AdFind" from Joe Richards' site at http://www.joeware.net and give this script a shot (obviously, spot-test the results until you're confident it's doing what you want reliably).

@echo off
for /f "usebackq delims=" %%i in (`dsquery computer -stalepwd 60 -limit 100000`) do (
    call :do_find %%i
)
goto end

:do_find
rem Search for computer at specified DN without a Bitlocker recovery key.
adfind -b %1 -f "(msFVE-RecoveryPassword=*)" 2>NUL | find "0 Objects returned" >NUL 2>NUL 
if errorlevel 1 goto end

rem Echo DNs of computers w/o bitlocker recovery keys
echo %1

:end

That should loop thru the computers w/ "stale" passwords checking for the presence of an object with a non-null attribute of "msFVE-RecoveryPassword" at the DN where each "stale" computer was found. If no objects were returned then no recovery password was present in the directory.

Joe Richards really deserves a pat on the back for his tools. They make life administering AD so much easier.

Powershell – How to use get-qadcomputer to return all computer objects that have msFVE-RecoveryInformation child objects

I don't believe that this is possible with only one LDAP search, regardless of what type of child object you are looking for. In cases like this I usually try to find if there is an attribute in either the parent or the child that references the other so that I can use that to retrieve the data I want, but in this case there doesn't seem to be.

What might be a better approach than invoking an LDAP search for each computer is this: 1. Use Get-QADObject to enumerate the msFVE-RecoveryInformation objects in your environment, starting from as low of a search root as possible. 2. Build a list of DNs for the parent computer objects using the data retrieved from those objects and store those DNs in an array. 3. Either call Get-QADComputer and use Where-Object to filter out the computers without a DN matching those stored in your array or if there are not many computers that are bitlocker enabled, call Get-QADComputer for each DN in your array to get the computer objects.

FYI, I did a quick Google search for "BitLocker cmdlets" to see if there was an easier way and it returned a go.microsoft.com link to a "Future Resource" document for Windows Server 2008 R2, so maybe these are coming at some point. All that document says for now though is "The document you are attempting to access is not yet available."

Best Answer

Related Solutions

List of computers with BitLocker recovery keys

Powershell – How to use get-qadcomputer to return all computer objects that have msFVE-RecoveryInformation child objects

Related Topic