Automate push of bitlocker recovery key to AD
Often we need to swap a drive into a new PC and then change the computer name.
Our current process is to suspend bitlocker, swap the drive, change the name, reset TPM and then resume protection. This works just fine for allowing us to move bitlocker encrypted drives around without too much hassle. We then push the recovery key to the
new AD object using
manage-bde -protectors c: -adbackup -id{xxxxxxx..}
I would like to be able to script the ad push action so the desktop support team can do this with one click. How would I go about doing this either through a batch or a vbscript?
April 5th, 2012 12:41pm
Hi,
To achieve this feature we need to get the Bitlocker Recovery GUID automatically. Based my research, this may be difficult to achieve.
For reference:
http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx
Best Regards,
Kim ZhouPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2012 4:58am
I was able to do it perfectly using this script. Figured I'd post it in case anyone else came around looking.
Option Explicit
Dim strNumericalKeyID
Dim strManageBDE,strManageBDE2
Dim oShell
Dim StrPath
Dim StdOut, strCommand
Dim Result, TPM, strLine
Dim Flag, NumericalKeyID
Set oShell = CreateObject("WSCript.Shell")
'====================================================================================
'This section looks for the Bitlocker Key Numerical ID
strManageBDE = "Manage-BDE.exe -protectors -get c:" 'Bitlocker command to gather the ID
Flag = False
Set Result = oShell.Exec(strManageBDE)'sees the results and places it in Result
Set TPM = Result.StdOut 'Sets the variable TPM to the output if the strManageBDe command
While Not TPM.AtEndOfStream
strLine = TPM.ReadLine 'Sets strLine
If InStr(strLine, "Numerical Password:") Then ' This section looks for the Numerical Password
Flag = True
End If
If Flag = True Then
If InStr(strLine, "ID:") Then 'This section looks for the ID
NumericalKeyID = Trim(strLine)' This section trims the empty spaces from the ID {} line
NumericalKeyID = Right(NumericalKeyID, Len(NumericalKeyID)-4)
Flag = False 'Stops the other lines from being collected
End If
End If
Wend
strManageBDE2 = "Manage-BDE.exe -protectors -adbackup C: -ID " & NumericalKeyID
oShell.Run strManageBDE2, 0, True 'Runs the Manage-bde command to move the numerical ID to AD.
April 16th, 2012 3:38pm