Thursday 14 October 2010

Force BitLocker key backup to Active Directory

If a Windows 7 machine is not in a domain when the drive is encrypted with BitLocker, then the key backup will not automatically occur. I've modified some code from this TechNet article to force this backup to occur for the C: drive. The script could be modified to backup keys from all drives pretty easily, but this had to be rolled out very quickly!

The script:


strDriveLetter = "c:"

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate," _
& "authenticationLevel=pktPrivacy}!\\." _
& "\root\cimv2\security\microsoftvolumeencryption")

If Err.Number <> 0 Then
WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
Wscript.Echo "Ensure that you are running with administrative privileges."
WScript.Quit -1
Else
WScript.Echo "Successfully connected to BitLocker interface."
End If

Set colTargetVolumes = objWMIService.ExecQuery _
("Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'")


If colTargetVolumes.Count = 0 Then
WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on this computer "
WScript.Quit -1

End If

For Each objFoundVolume in colTargetVolumes
set objVolume = objFoundVolume
strEncDriveLetter = objVolume.DriveLetter
WScript.Echo "Encryptable Volume found :" & strEncDriveLetter
intRC = objVolume.GetProtectionStatus(nPStatus)

If nPStatus = 1 Then
WScript.Echo "Drive is encrypted"
Else
WScript.Echo "Drive Not Encrypted"
End If
Next

nKeyProtectorType = 3 'Numerical Password

insKey = objVolume.GetKeyProtectors(nKeyProtectorType,vProtectors)

For each vFoundKeyProtectorID in vProtectors
vKeyProtectorID = vFoundKeyProtectorID
' WScript.Echo "Key Protector: ", vKeyProtectorID
Next

insKey = objVolume.GetKeyProtectorNumericalPassword(vKeyProtectorID,numPWD)

If insKey <> 0 Then

WScript.Echo "Password Get Failed"

WScript.Quit -1

End If

WScript.Echo "Numerical PW: " & numPWD

WScript.Echo "For key Protector: ", vKeyProtectorID

iBackupSuccessful = objVolume.BackupRecoveryInformationToActiveDirectory(vKeyProtectorID)

If iBackupSuccessful <> 0 Then
WScript.Echo "Password Storage to ADS failed."
WScript.Quit -1
Else
WScript.Echo "Successfully stored password in ADS."
End If

1 comment: