If a Windows 7 machine is not in a domain when the drive is encrypted with BitLocker, then the key backup will not automatically occur. I've modified some code from this TechNet article to force this backup to occur for the C: drive. The script could be modified to backup keys from all drives pretty easily, but this had to be rolled out very quickly!
The script:
strDriveLetter = "c:"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate," _
& "authenticationLevel=pktPrivacy}!\\." _
& "\root\cimv2\security\microsoftvolumeencryption")
If Err.Number <> 0 Then
WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
Wscript.Echo "Ensure that you are running with administrative privileges."
WScript.Quit -1
Else
WScript.Echo "Successfully connected to BitLocker interface."
End If
Set colTargetVolumes = objWMIService.ExecQuery _
("Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'")
If colTargetVolumes.Count = 0 Then
WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on this computer "
WScript.Quit -1
End If
For Each objFoundVolume in colTargetVolumes
set objVolume = objFoundVolume
strEncDriveLetter = objVolume.DriveLetter
WScript.Echo "Encryptable Volume found :" & strEncDriveLetter
intRC = objVolume.GetProtectionStatus(nPStatus)
If nPStatus = 1 Then
WScript.Echo "Drive is encrypted"
Else
WScript.Echo "Drive Not Encrypted"
End If
Next
nKeyProtectorType = 3 'Numerical Password
insKey = objVolume.GetKeyProtectors(nKeyProtectorType,vProtectors)
For each vFoundKeyProtectorID in vProtectors
vKeyProtectorID = vFoundKeyProtectorID
' WScript.Echo "Key Protector: ", vKeyProtectorID
Next
insKey = objVolume.GetKeyProtectorNumericalPassword(vKeyProtectorID,numPWD)
If insKey <> 0 Then
WScript.Echo "Password Get Failed"
WScript.Quit -1
End If
WScript.Echo "Numerical PW: " & numPWD
WScript.Echo "For key Protector: ", vKeyProtectorID
iBackupSuccessful = objVolume.BackupRecoveryInformationToActiveDirectory(vKeyProtectorID)
If iBackupSuccessful <> 0 Then
WScript.Echo "Password Storage to ADS failed."
WScript.Quit -1
Else
WScript.Echo "Successfully stored password in ADS."
End If
1 comment:
Thank you! :)
Post a Comment