Although backing up the Bitlocker recovery key should be automatic to ensure all keys are accounted for, i have had moment where i needed to back up the key manually. Although it’s a task you shouldn’t need to do very often, if at all, it is in fact a very easy task to accomplish.
With more and more Powershell cmdlets being created for Powershell, Powershell can now make any task fairly easy. Before the Bitlocker key can be backed up the drive must first be unlocked. If the drive is an internal drive it is usually unlocked during booting the OS, whether it’s a pre-boot PIN or just automatically unlocked by reading the TPM.
Once the drive is unlocked and can be read, fire up an administrator Powershell window. The Get-BitlockerVolume is the main command we will be using for backing up the key. By adding the -MountPoint parameter it allows us to choose which drive we want to work with.
The command allows to get an overview of drive C: in regards to how Bitlocker has been configured.
By saving the command above to variable it allows us to save certain elements that were outputted.
$KEY = Get-BitlockerVolume -MountPoint "C:"
Now that we have the overview of the data we now need to pinpoint the recovery key and back the key up to AD. This can be easily achieve by using the Backup-BitlockerKeyProtector command.
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $KEY.KeyProtector.KeyProtectorId
The above command will backup the key that was presented within our variable we created in the step before. It will backup the out from KeyProtectorID attribute and copy back to AD. The full command is below:
$KEY = Get-BitLockerVolume -MountPoint "C:" Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $KEY.KeyProtector.KeyProtectorId
AD Users & Computers | Recovery Key