When your computers in a corporate network are encrypted with BitLocker, you can optionally have the recovery information uploaded to Active Directory. There aren’t really any major drawbacks to doing this, as in most cases if an attacker has elevated access to AD, he can simply log into an encrypted workstation without bothering with BitLocker and your workstation hard drives are not the greatest of your problems.
The BL info is stored in an odd manner, which can make scripting retrieval a little difficult. I took the opportunity to create the following command, trying to meet these objectives:
- It needs to be able to verify the computer we’re looking up
- It should be able to accept pipeline input for batch jobs and utilize the Begin section of the function to perform any initial searches that are used again for each object
- It should also be able to look up the password/computer by recovery key, for when Joe Exec was given a loaner and doesn’t know the computer name and stuck a thumb drive in and tried to boot (or tried to dock it, or any of the other myriad cases where BitLocker starts acting up)
- It should default to NOT retrieve the password, but do so optionally
- Let’s use Comment Based Help for some simple documentation
This is what I came up with:
I’ve seen alternate methods of looking them up, where instead of returning all “msFVE-RecoveryInformation” objects, you use the computer’s Distinguished Name as a SearchBase. I may go back and optimize this, but I’ve been satisfied with the performance on this method. Let me know if you have any thoughts on the matter.