19 January 2018

PowerShell Backup Bitlocker Recovery Password One-Liner

While writing the solution for a secure and safe deployment of BIOS updates, I had to come up with a one-liner to backup the Bitlocker recovery password to a file named <computer name>.txt in a secured UNC path. Yes, we already have MBAM, but I wanted an extra layer of safety in the event something went wrong when applying the BIOS updates to the Bitlockered machines, thereby requiring the recovery password. Also, there are a lot of admins who work at companies which do not have products such as SCCM and MBAM. The reason the PowerShell Bitlocker CMDLETS were not used is that this is designed to run on Windows 7, 8, 8.1, and 10 operating systems.

To use the one-liner below, you will need to update the portion in yellow to the UNC path of your desire. This can be used deployed through SCCM to machines to backup their recovery keys. I used this in a task sequence.

powershell.exe -command "&{(manage-bde -protectors -get $env:HOMEDRIVE -id ((Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume').GetKeyProtectors(3).volumekeyprotectorID) | Where-Object { $_.trim() -ne '' }).Trim() | Where-Object { (($_ -like '*-*') -and ($_ -notlike '*ID*')) } | Where-Object { $_.trim() -ne '' } | out-file -filepath \\UNCPATH\$env:computername'.txt' -encoding UTF8 -Force}"


Post a Comment