Hello,
I am trying to see if there is a way the BES client can determine if a Bitlocker key has been escrowed in AD for the device it’s on. Does anyone have experience with this process, or have some idea the code required to do so?
Thanks!
Hello,
I am trying to see if there is a way the BES client can determine if a Bitlocker key has been escrowed in AD for the device it’s on. Does anyone have experience with this process, or have some idea the code required to do so?
Thanks!
The key being backed up in AD is only a property on the computer container in AD, so you must query AD.
Reading the key stored in AD from the client side of the house with powershell would look like this:
Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase (get-adcomputer "$env:COMPUTERNAME").DistinguishedName -Properties 'msFVE-RecoveryPassword'
BUT this will only work if the computer has the AD powershell module installed and it can reach AD, and you need to make sure it has permissions to read that object class & proerty.
You could use VBS too, but that still has the same problem.
Also, you can use the following powershell command locally to pull the bitlocker password locally… but that’s not too helpful in this case unless you wanted to store the key in bigfix as a computer property… hum…
(Get-BitLockerVolume).keyprotector
I feel like the ultimate solution may be using the API to loop through the computers, then query AD, then set a custom bigfix property with the API for “BitLocker_Key_backup_in_AD” = “True” or something similar.
You could also make a fixlet that backups the recovery key to AD and then use the exit codes to determine success:
something like
manage-bde -protectors -adbackup c: -id {iD of protector}
if {exit code of action != 0}
exit {exit code of action}
endif
it won’t tell you if there is already a key backed up but at least you can backup your keys and know if it’s working!
Bill