Cleaning Up and Automating the Backup of Bitlocker Passwords to Active Directory

Recently, I was reviewing the bitlocker recovery password backups. We still use active directory to store them, and yes, we are planning on moving to MBAM. That is a ways off as we're in the process of the Windows 10, Exchange 2016, and Office 2016 migrations. While looking over the AD backups, I noticed some machines stored multiple recovery passwords due to systems being reimaged and then some had duplicates.

To solve this, I was initially going to write a PowerShell script to delete the AD entry during a task sequence build process for a clean slate. Going through the testing phase, I ran into other issues that required more testing in the script. Therefore a one-liner was out of the question. In the end, this cleaned up our active directory bitlocker password entries and verified all stored passwords were valid. 

This script I have written does the following:

1. Queries the bitlocker password and ID from the system
2. Queries active directory for the backed up Bitlocker ID(s) and password(s)
3. Cycles through the active directory entries and deletes those that do not match the stored local ones and removes duplicates.
4. Queries active directory once again for the stored ID and password to see if it matches the locally stores ones
5. If there are no entries, the info is backed up to active directory and verified the backup was successful
6. If an error -2147024809 occurs during the backup, the system checks if Bitlocker is enabled and returns system is not Bitlockered. Otherwise, an unspecified error message is displayed. 
7. Does not exist in active directory, the info is backed up. If it does exist but does not match, the key in AD is deleted, and then the new key is uploaded. If there are duplicates in AD that match to locally stored key, all are deleted, except for one. If bitlocker is not enabled on a machine, then an error 3 is returned. If an unspecified error occurs, an error 2 is returned. These return codes allow for the script to alert to issues within a build or if it is used in the scripts section of SCCM. 
8. If the Bitlocker info matched on both the local system and AD, then the info is displayed on the screen and an exit code 0 is returned. 

This script requires domain admin access to run as it needs to have access to active directory. The SCRIPTS section of SCCM cannot run this as it uses the system account. The same goes for an SCCM package. The only way this can be executed through SCCM is to implement it in a task sequence. The Run Command Line is what needs to be used, specifying a domain admin account under the Run this step as the following account, as shown below. This same thing has to be done in MDT and/or SCCM to get this to work in cleaning up active directory when building a new system. 

You can download the script from my GitHub site.