Jump to content
Tularis

Store Bitlocker Recovery Key In Labtech?

Recommended Posts

Hello,

Is there anyway to get Labtech to automatically backup the bit-locker recovery key automatically?

We have looked at the GPO policies in AD but this does not backup Keys for computers that have been previously encrypted...

Share this post


Link to post
Share on other sites

Try running this:

 

(Get-BitLockerVolume -MountPoint C).KeyProtector | Select -ExpandProperty RecoveryPassword

 

Share this post


Link to post
Share on other sites

If you want just the key with no additional blank lines you can run

(Get-BitLockerVolume -MountPoint C).KeyProtector | Select -ExpandProperty RecoveryPassword | where {$_ -ne ""}

This is great for putting the data into an EDF etc.

 

@Tularis This would have to be run on the PC in LT.

Edited by HenryG

Share this post


Link to post
Share on other sites

Hey guys,

I updated the script posted above and have attached my copy of it. It was set to do PS as Admin, changed that to execute script function, powershell as bypass instead of running anything as admin since it causes issues. Also trimmed up the recovery key to exclude spaces / lines.

 

Get Bitlocker Status then set EDF's.xml

  • Thanks 1

Share this post


Link to post
Share on other sites

@JacobsaSee attached for revision2 where I added in @DarrenWhite99Email Technician so that you don't have to manually check if the script was successful.

The issue I have with the current way I check for Bitlocker encrypting (100 percent), so I can't use this as part of an enabled BitLocker and store key all in the same script.

Get Bitlocker Status then set EDF's.xml

Share this post


Link to post
Share on other sites
On 9/19/2018 at 10:24 AM, itinfserv said:

Since the import didnt work for me I found the commands. Here is what I stuck together.

image.png.36fbd1203971c69e62a400246dcaed1c.png

Good points. I also switched to shell and manage-bde instead since I had an issue with backward compatibility.

 

 

So far I have as follows 

1) Test if TPM is enabled (Powershell) Since I can't find a way to get this using manage-bde

a. Test and then update EDF (I use this in case it doesn't have bitlocker enabled I know I can push out enable to the computer)

2) Call Script Test bitlocker status on and set EDF(I couldn't get the roles that @Gavsto created to work properly But if I do then I would use it instead :-))

a. Call a test bitlocker status script (I Use manage-bde for backward compatibility)(I broke it apart since I run this script once a day on all agents to detect bitlocker is enabled and then join it to a group so that I can script against it)

b. Update the EDF if protection on

3) Call Script Get Bitlocker Keys and store in EDF (Broke it apart so I can call just that section based on the group its part of)

a. Switched to manage-bde since its backward compatible.

 

Current Issue

In the Get Bitlocker Keys and store in EDF I am grabbing the full output and storing it how can I grab a specific part of the returned information and only store that in the edf 

 

Scripts

Master Script I am adding in the enable Bitlocker and set the EDF's Script I put together this should include all other scripts since it calls them.

I used powershell for the enable bitlocker part since any system I am using it on is windows 10 or later.

Get Bitlocker Status and Record Keys then set EDF's_V3.xml

Enable Bitlocker and set the EDF's_V1.xml

Share this post


Link to post
Share on other sites

Just to help the community. I have our system run a bitlocker get status script on all devices.
I have made several EDF's for the device to store information:

All of these are LOCKED so none of the techs can alter or adjust them. 

image.png.f3e1b310f89fcd18d48df3ebc6af5fdf.png

  1.  TPM Enabled. This runs the Powershell command:    get-tpm | select -Expandproperty Autoprovisioning
    • There is an IF statement where if the TPM is enabled it Marks the TPM EDF as enabled.
    • This tells me if the device is able to be encrypted (we try to always have TPM)
  2. Checks if Bitlocker ProtectionStatus is on.    Runs the Powershell command: Get-BitLockerVolume -MountPoint "C:" | Select -ExpandProperty ProtectionStatus
    • There is an IF statement where if the Protectionstatus is ON it will check the 'BitlockerEnabled' box.
  3. The script will always run the 2 Powershell commands below regardless if bitlocker is enabled..
    • Bitlocker Recovery Key:  Powershell command:  manage-bde -protectors -get 😄
    • Get Bitlocker Status of C:. Powershell command:  manage-bde -status 😄
  4. The 'Date checked for Encryption' is a self diagnosing piece to tell me when the script was last ran.

 

Example Contents of each EDF:

Bitlocker Recovery Key:

BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume 😄 []
All Key Protectors

    TPM:
      ID: {E123456-E123-F123-F123-D123456789012}
      PCR Validation Profile:
        0, 2, 4, 11

    Numerical Password:
      ID: {1DDB4148-A123-B123-C123-B12345678901}
      Password:
        123456-123456-123456-123456-123456-123456-123456-123456

 Bitlocker Status of 😄

BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume 😄 []
[OS Volume]

    Size:                 475.49 GB
    BitLocker Version:    2.0
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        TPM
        Numerical Password

 

 

Attached is the SQL for importing the EDF files as well as the script used.

 

Help this helps!

Get Bitlocker Status of Device.xml

Bitlocker-ComputerEDF.sql

  • Thanks 4

Share this post


Link to post
Share on other sites

Just wondering how many people are actually storing keys in their database? I have some issues storing this information (even encrypted). If something were to happen, you'd be putting a lot of your customers at risk. 

What about if the volume is encrypted again and the script didn't run to collect the pew key? I'm assuming a new key is created. It would put me in a pretty bad position if the TPM failed or there was a hardware change happened and I didn't have the key.  

Share this post


Link to post
Share on other sites
1 hour ago, BrendenCleppe said:

@amw3000 We run and grab ALL the keys every 2 days and replaces the EDF for the device so we always have the latest information regardless if the key changes. 

But what if the key changes while the machine is offline and then the machine got locked out? Your key will be useless and since that volume is locked,  there's no way for you to get an updated key.

There is a chance this can happen and you will have to have a very awkward conversation with your customer. 

Share this post


Link to post
Share on other sites

I am fairly certain that the RECOVERY key (which the tool collects) cannot be changed without completely decoding/encoding.  You can change a password or PIN on a whim, but I believe the recovery key is the key behind the key, the actual encryption key that you cannot change.

If a drive was decoded and encoded in a short time (that doesn't accidentally happen, am I right?), and you were not able to capture the recovery key before it was "lost"?  That can't be entirely on you. The awkward conversation would be with whatever person did that (authorization?) and immediately lost their password.

Share this post


Link to post
Share on other sites
On 1/15/2019 at 9:12 PM, BrendenCleppe said:

Just to help the community. I have our system run a bitlocker get status script on all devices.
I have made several EDF's for the device to store information:

 

Worked like a charm!  Thank you, sir!

Share this post


Link to post
Share on other sites
Posted (edited)

Is there any harm or purpose of changing the EDF to make the field where it stores the recovery key in the database encrypted?

Also I am a bit of a n00b...how can I make this a scheduled script to run every couple of days?

EDIT - I was able to add the script to my service plans, is this the best method?

 

Thanks in advance

Edited by TehArchitect

Share this post


Link to post
Share on other sites
Posted (edited)

@TehArchitect You can certainly do that. It will encrypt the data within the database itself. so if you are doing any queries it will be encrypted. 
It might be an option if you have any external connection directly to the database.

When you encrypt the entry, any view's from automate should be okay. At least that is what i remember from the articles on ExtraDatafields.

 

Edited by BrendenCleppe

Share this post


Link to post
Share on other sites

Your script and EDF work brilliantly, many thanks for that Brenden, it's exactly what I was looking for.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×