Import BitLocker recovery keys

jprateragg · ‎12-16-2015

We use BitLocker in our organization. While we do push the recovery keys into AD, it would be nice if LS could import these as well since we spend most of our time working in LS than we do AD. You already collect the BitLocker drive status--why not collect the recovery keys/PIN as well? Thanks!

JacobH · ‎02-11-2019

Thanks Caleb! I deleted my erroneous post.

Caleb · ‎02-11-2019

JacobH wrote:
For Bitlocker - Storing Keys in AD is antiquated - it's moved to MDOP/MBAM SQL database to the best of my limited knowledge.

Reference:
https://blogs.technet.microsoft.com/askcore/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam/

You can query the machines table, inner join the keys table, to get you computername and recovery key.

Where you go after that, is up to you. If you're MSSQL-minded, you know where I'm going with this...

Mainstream support for Microsoft BitLocker Administration and Monitoring (MBAM) is ending July 2019.

https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-domain-joined-computers-and-moving-to-cloud

Supported method for storing keys is with Active Directory, either on premises or in Azure.

mshajin · ‎02-06-2019

+1 for this

I have managed to work around this by creating an advanced action that executes a script to retrieve the recovery key from AD

cscherrey · ‎01-11-2019

I know one request was pulling from AD which you must have access to do. However, I would want lansweeper to request the bitlocker password from the PC directly. I would think using the scan credentials Lansweeper could do this.

From CommandLine: manage-bde -protectors c: -get -Type recoverypassword

From Powershell: Get-BitLockerVolume | ? {$_.KeyProtector.KeyProtectorType -eq "RecoveryPassword"} | Select-Object MountPoint,@{Label='Key';Expression={"$($_.KeyProtector.RecoveryPassword)"}}

For now, I created a job on the server to grab the keys from AD once a day using credentials that have access and write them to the Asset Custom Fields in the Lansweeper DB so that they show up for each asset. This does require that you configure the PCs to record their recovery password to AD.

duplissi · ‎01-10-2019

+1 for this request. Would love to have lansweeper pull bitlocker keys.

Tomdm · ‎01-03-2019

i would like to have this feature too, actually i'm looking for a less advanced feature, since we had a bitlocker enabled computer where the AD attribute seems to be missing in AD, i would just like to find out which "recovery key" attributes are empty in AD and compare them to the list of Bitlocker enabled computers to see if we have more PCs with recovery key missing.

iyad_omry · ‎12-26-2018

Please do that I need this feature

StephanieCDA · ‎12-20-2018

+1, this would be a nice addon.

markharry · ‎10-31-2018

This would be a great feature to add to Lansweeper. One more vote!

Import BitLocker recovery keys

Product Discussions

New to Lansweeper?

Try Lansweeper For Free