Win BIG in the Connect IT Community Favorite Things Giveaway! Get started here > https://www.community.connectit.com/discussion/39016/win-big-in-the-connect-it-community-favorite-things-giveaway

BitLocker Detection and Recovery Key Retrieval

Sidney Sahdala
Sidney Sahdala Miami, FLMember, Kaseya Certified CHOCOLATE MILK
edited August 18 in Product

Product Name: BitLocker Detection and Recovery Key Retrieval

Version: 2.0

Description : This agent procedure checks the C drive to see if it is encrypted using BitLocker and extract the BitLocker Recovery key then document the results to the asset, in the Audit module. This uses Custom Fields in VSA allowing you to create Views, Report on it, or even use the View in a Policy.

If you want to check other drives, you just need to edit the PowerShell command in the Agent Procedure to check a different disk.

This agent procedure is the latest version that performs some error checking before entering the result in the custom field. It checks for the presence of the BitLocker feature as the previous version wasn’t accurate in these cases.

Instructions :

This requires you to create two custom fields named BitLocker Status and BitLocker Recovery Key of type String. Once the Custom Fields are created, you can import the Agent Procedure.

You can create Custom Fields in the Audit module by going to:

VSA > Audit > View Individual Data > Machine Summary

Then import the Agent Procedure by going to:

VSA > Agent Procedures > Schedule / Create

After it has been properly imported the you just need to run this against your Windows endpoints. You can either run them manually or add it to a Policy under a schedule to run however often you want.

Documentation is included in the download.

Comments

  • Rob S
    Rob S Member CHOCOLATE MILK
    edited February 18

    This works, but the temporary text file that's created doesn't get deleted. Can that be fixed?

  • Jeff Lorenzen
    Jeff Lorenzen Member CHOCOLATE MILK
    edited February 18

    @Rob S, just add a line in your procedure to delete the temporary file after it's been read into the custom field.  

  • David Perhacs
    David Perhacs Member
    edited February 18

    Jeff is correct. I had taken it out of the original script for testing purposes and never put it back.

  • Rob S
    Rob S Member CHOCOLATE MILK
    edited February 18

    Actually, the line is there, but it doesn't seem to work? (or at least it's not doing what it should).

  • Rob S
    Rob S Member CHOCOLATE MILK
    edited February 18
    I figured it out - the line was there, but was just disabled (didn't realise that was a thing!) - but all now working as expected. Thanks!
  • Zach Perry
    Zach Perry Member CHOCOLATE MILK

    We've been using this for a few months and for the most part it works wonderfully (thank you!) but occasionally we get some false negatives. Devices will have the Bitlocker Status custom field set to "Not encrypted" however after running Get-BitlockerVolume is shows as FullyEncrypted and running the (Get-BitLockerVolume -MountPoint C).KeyProtector.recoverypassword command will print the key. Any ideas why this happens to a few? Running the procedure after verifying the commands results in a success then with no other comments (except for the skip unsupported OS steps) but the field doesn't change.