PS > Export-BitlockerRecoveryKeys

This script exports all Bitlocker recovery information for all computer objects in your domain. Run it as a scheduled task – but make sure to set appropriate permissions on the resulting CSV file!

function Export-BitlockerRecoveryKeys
{
    [CmdletBinding()]
    Param
    (
        $CSVFile = "c:\scripts\BitlockerExport.csv",
        $Computers = (Get-ADComputer -Filter *)
    )

    Begin
    {
        if(-not(Test-Path $CSVFile))
        {
            $null = New-Item -Path $CSVFile -Force -Type File
        }

        $Array = @()
        $CurrentData = Import-Csv $CSVFile -ErrorAction SilentlyContinue
    }

    Process
    {
        foreach ($Computer in $Computers)
        {
            $RecoveryKey = Get-ADObject -SearchBase $Computer.DistinguishedName -Filter {objectClass -eq 'msFVE-RecoveryInformation'} -Properties msFVE-RecoveryPassword
            if($RecoveryKey)
            {
                foreach ($Key in $RecoveryKey)
                {
                    if($CurrentData.key -notcontains $Key.'msFVE-RecoveryPassword')
                    {
                        $ThisComputer = [pscustomobject]@{
                            "Name" = $computer.name
                            "Date" = ($key.Name -split "{")[0] -as [datetime]
                            "ID"   = ($key.Name -split "{")[1].TrimEnd("}")
                            "Key"  = $key.'msFVE-RecoveryPassword'
                        }
                        $Array += $ThisComputer
                    }
                }
            }
        }
    }

    End
    {
        $Array | Export-Csv -Path $CSVFile -Append

        if ($Array.Count -ne 0)
        {
            Write-Verbose "Exported $($Array.count) new keys!"
        }
        else
        {
            Write-Verbose "No new keys"
        }
    }
}

Running this script daily on a DC is a simple way of keeping an extra backup of all your keys. Just remember to treat the list the same way you treat your domain admin password: with care!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s