JacobH wrote:
For Bitlocker - Storing Keys in AD is antiquated - it's moved to MDOP/MBAM SQL database to the best of my limited knowledge.

Reference:
https://blogs.technet.microsoft.com/askcore/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam/


You can query the machines table, inner join the keys table, to get you computername and recovery key.


Where you go after that, is up to you. If you're MSSQL-minded, you know where I'm going with this...

Mainstream support for Microsoft BitLocker Administration and Monitoring (MBAM) is ending July 2019.

https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-domain-joined-computers-and-moving-to-cloud

Supported method for storing keys is with Active Directory, either on premises or in Azure.

+1 for this

I have managed to work around this by creating an advanced action that executes a script to retrieve the recovery key from AD

I know one request was pulling from AD which you must have access to do. However, I would want lansweeper to request the bitlocker password from the PC directly. I would think using the scan credentials Lansweeper could do this.

From CommandLine: manage-bde -protectors c: -get -Type recoverypassword

From Powershell: Get-BitLockerVolume | ? {$_.KeyProtector.KeyProtectorType -eq "RecoveryPassword"} | Select-Object MountPoint,@{Label='Key';Expression={"$($_.KeyProtector.RecoveryPassword)"}}

For now, I created a job on the server to grab the keys from AD once a day using credentials that have access and write them to the Asset Custom Fields in the Lansweeper DB so that they show up for each asset. This does require that you configure the PCs to record their recovery password to AD.

+1 for this request. Would love to have lansweeper pull bitlocker keys.

i would like to have this feature too, actually i'm looking for a less advanced feature, since we had a bitlocker enabled computer where the AD attribute seems to be missing in AD, i would just like to find out which "recovery key" attributes are empty in AD and compare them to the list of Bitlocker enabled computers to see if we have more PCs with recovery key missing.

Please do that I need this feature

+1, this would be a nice addon.

This would be a great feature to add to Lansweeper. One more vote!