cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jprateragg
Champion Sweeper
We use BitLocker in our organization. While we do push the recovery keys into AD, it would be nice if LS could import these as well since we spend most of our time working in LS than we do AD. You already collect the BitLocker drive status--why not collect the recovery keys/PIN as well? Thanks!
23 REPLIES 23
JacobH
Champion Sweeper III
Thanks Caleb! I deleted my erroneous post.
Caleb
Engaged Sweeper III
JacobH wrote:
For Bitlocker - Storing Keys in AD is antiquated - it's moved to MDOP/MBAM SQL database to the best of my limited knowledge.

Reference:
https://blogs.technet.microsoft.com/askcore/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam/


You can query the machines table, inner join the keys table, to get you computername and recovery key.


Where you go after that, is up to you. If you're MSSQL-minded, you know where I'm going with this...



Mainstream support for Microsoft BitLocker Administration and Monitoring (MBAM) is ending July 2019.

https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-domain-joined-computers-and-moving-to-cloud

Supported method for storing keys is with Active Directory, either on premises or in Azure.
mshajin
Engaged Sweeper III
+1 for this

I have managed to work around this by creating an advanced action that executes a script to retrieve the recovery key from AD
cscherrey
Engaged Sweeper III
I know one request was pulling from AD which you must have access to do. However, I would want lansweeper to request the bitlocker password from the PC directly. I would think using the scan credentials Lansweeper could do this.

From CommandLine: manage-bde -protectors c: -get -Type recoverypassword

From Powershell: Get-BitLockerVolume | ? {$_.KeyProtector.KeyProtectorType -eq "RecoveryPassword"} | Select-Object MountPoint,@{Label='Key';Expression={"$($_.KeyProtector.RecoveryPassword)"}}

For now, I created a job on the server to grab the keys from AD once a day using credentials that have access and write them to the Asset Custom Fields in the Lansweeper DB so that they show up for each asset. This does require that you configure the PCs to record their recovery password to AD.
duplissi
Engaged Sweeper
+1 for this request. Would love to have lansweeper pull bitlocker keys.
Tomdm
Engaged Sweeper
i would like to have this feature too, actually i'm looking for a less advanced feature, since we had a bitlocker enabled computer where the AD attribute seems to be missing in AD, i would just like to find out which "recovery key" attributes are empty in AD and compare them to the list of Bitlocker enabled computers to see if we have more PCs with recovery key missing.
iyad_omry
Engaged Sweeper
Please do that I need this feature
StephanieCDA
Engaged Sweeper III
+1, this would be a nice addon.
markharry
Engaged Sweeper III
This would be a great feature to add to Lansweeper. One more vote!